Dev Encyclopedia
ArticlesToolsContactAbout

Get notified when new content drops

No spam. Just new articles, tools, and updates straight to your inbox.

Dev Encyclopedia

A reference for builders

Content

  • Articles
  • Tools
  • About
  • Contact

Connect

  • support@devencyclopedia.com
  • RSS Feed

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

ยฉ 2026 Dev Encyclopedia

Back to top โ†‘
  1. Home
  2. /
  3. Tools
  4. /
  5. ExtensionAudit
Free ยท Live

Audit all your VS Code extensions in one paste.

After the GitHub breach, you should know what's running inside your editor. ExtensionAudit checks your entire installed list for unverified publishers and stale extensions, instantly, no install required.

  1. 1

    Run in terminal

    code --list-extensions
  2. 2

    Paste the output

    into the box below
  3. 3

    See your risk report

    per extension, in seconds
Zeeshan Tofiq

Zeeshan Tofiq

Full Stack Developer

What the risk signals mean

Low risk

Publisher is verified on the marketplace AND the extension was updated within the last 6 months.

Review recommended

Publisher is unverified, or the extension hasn't been updated in 6โ€“12 months. Worth a manual check.

High risk

Publisher is unverified AND the extension hasn't been updated in over a year. Strong candidate for uninstalling.

Unknown

Not found in the public marketplace. Could be a private, corporate, or typo'd extension ID.

What to do with each result

Green: No action needed

  • Continue using. Publisher is verified and the extension is actively maintained.

Yellow: Review recommended

  • Click the marketplace link and check the extension's GitHub repository for recent activity.
  • If you still need it: enable it per-workspace only instead of globally, press Ctrl+Shift+P โ†’ "Enable Extension (Workspace Only)".
  • If you don't use it: uninstall it. Unused extensions are pure attack surface.

Red: Evaluate carefully

  • Check the last commit date on the GitHub repository. Abandoned + unverified = high risk.
  • Ask yourself: have you used this extension in the last 90 days? If no, uninstall it now.
  • If you keep it: enable per-workspace only, Ctrl+Shift+P โ†’ "Enable Extension (Workspace Only)".

Unknown: Not in the public marketplace

  • This is expected for corporate or private extensions hosted on Azure DevOps.
  • If you don't recognise the extension ID, investigate: it may be a typo, a renamed extension, or something you don't remember installing.
  • Verify the source through your internal security channels before keeping it.

Make this a quarterly habit

Run code --list-extensions every 3 months and re-paste here. Extensions get compromised after you install them: a verified publisher today is not a guarantee for tomorrow.

Frequently Asked Questions

How does ExtensionAudit work?
  1. Run code --list-extensions in your terminal and paste the output into the text box.
  2. ExtensionAudit parses the list, then queries the VS Code Marketplace API directly from your browser.
  3. It fetches publisher verification status, install counts, and last update dates for each extension.
  4. The risk signal is calculated from those factors. No data is sent to DevEncyclopedia servers.
What does the risk signal mean?
SignalMeaning
๐ŸŸข GreenPublisher verified + updated within 6 months
๐ŸŸก YellowPublisher unverified, or not updated in 6โ€“12 months
๐Ÿ”ด RedPublisher unverified AND not updated in 1+ year
โšซ UnknownNot found in the public marketplace
What is a verified publisher?

The blue checkmark means the publisher verified domain ownership and has maintained good standing for at least six months.

โš  Warning

A verified badge is a meaningful signal, but not a guarantee. The May 2026 Nx Console breach happened through a verified publisher whose account token was stolen. A badge reduces risk: it doesn't eliminate it.

I have red or yellow extensions. What should I do?
  1. Click the marketplace link and review the extension's GitHub repository for recent activity.
  2. Ask yourself: have you used this extension in the last 90 days? If no, uninstall it: unused extensions are pure attack surface.
  3. If you keep it: enable it per-workspace only, press Ctrl+Shift+P โ†’ "Enable Extension (Workspace Only)".
Is my extension list private?

ExtensionAudit processes your list entirely in your browser. Extension names are sent directly to the VS Code Marketplace API to fetch metadata. DevEncyclopedia never receives or stores your extension list.

What about private or corporate extensions?

Private extensions hosted on a corporate Azure DevOps feed will not appear in the public VS Code Marketplace. ExtensionAudit shows them as Unknown, that is expected. Evaluate those extensions through your internal security channels.

Related reading

Guide

How to Audit Your VS Code Extensions for Security

The full guide on what to check, how to reduce your attack surface, and what to do if you're concerned.

Guide

Environment Variables in Next.js

Keep secrets out of your workspace and out of reach of extensions: how to manage env vars correctly.

Zeeshan Tofiq

Zeeshan Tofiq

Full Stack Developer

Full stack developer with over 6 years of experience building production applications. Writes practical guides on JavaScript, TypeScript, React, Node.js, and cloud infrastructure. Focused on helping developers solve real problems with clean, maintainable code.

Enjoyed this article?

Get practical dev guides, tool updates, and new articles delivered straight to your inbox. No spam, unsubscribe anytime.

Your extension list is processed locally. Queries go directly to the VS Code Marketplace โ€” nothing is sent to DevEncyclopedia servers.