How to Audit Your VS Code Extensions for Security

VS Code extensions are not sandboxed. When you install one, it runs with the same permissions as VS Code itself:

• It can read every file in your open workspace, including .env.local and any credential file.
• It can access environment variables set in your shell session.
• It can spawn processes and make outbound network requests — silently.
• A verified publisher badge proves domain ownership, not that every update pushed under that account is safe.

Open a terminal and run this command. It prints every installed extension in publisher.extensionname format:

• Count them. If you have more than 20, you almost certainly have some you no longer use.
• Extensions installed once for a specific project, forgotten tutorial plugins, or tools that haven't been updated in two years — they are all running.
• Unused extensions are pure attack surface with zero upside. Uninstall them.

code --list-extensions

For every extension you actively use, spend 60 seconds checking these three things:

• Verified publisher badge. Look for the blue checkmark next to the publisher name in the marketplace. This means the publisher verified domain ownership and maintained good standing for at least six months. Extensions without it deserve more scrutiny.
• Last update date. An extension that hasn't been updated in over a year is unlikely to receive a security patch if a vulnerability is found. If it's also not open-source, you have no way to audit it. Evaluate whether you still need it.
• The GitHub repository. Most legitimate extensions link to a public repo from their marketplace page. Click it. Check whether issues are being responded to, whether the last commit is recent, and whether the codebase looks actively maintained.

You cannot disable auto-updates entirely without breaking security patches, but you can limit what extensions can reach:

• Enable extensions per-workspace. VS Code lets you enable an extension only for specific workspaces. If an extension is only needed for one project, set it that way. It won't run in other projects and can't touch those credentials.
• Use a separate VS Code profile for sensitive work. Profiles let you maintain different extension sets for different contexts — a general dev profile and a locked-down profile for anything involving production secrets or client code.
• Keep `.env` files out of VS Code workspaces where possible. When you open a folder, every extension can see all files in it. Use a secrets manager or set variables in your deployment platform's dashboard instead of keeping them in local files.

If you had Nx Console installed between approximately 12:30 and 12:50 UTC on May 18, 2026, treat your credentials as compromised. The same logic applies to any extension you aren't certain about:

• Rotate immediately: GitHub personal access tokens, npm publish tokens, AWS access keys — in that order of priority.
• Check your GitHub security log under Settings > Security log for any unexpected actions in the 48 hours after any suspicious install.
• Revoke and regenerate any API keys your machine had access to, starting with the highest-privilege ones.
• If you use 1Password, Bitwarden, or any other password manager with a VS Code integration — rotate the master credential or access token for that integration.

This is not a one-time fix. New extensions get compromised. Maintainers abandon projects. Add a recurring calendar reminder for every three months and work through this checklist:

• Run code --list-extensions and remove anything you haven't used since the last audit
• Check that actively-used extensions still have a verified publisher badge and recent commits
• Review which extensions are enabled globally versus workspace-only
• Confirm your most critical credentials (GitHub, npm, AWS) have been rotated within the last 90 days