Ask HN: Is this VSCode extension malicious?
I run a small programming YouTube channel and someone with a Gmail address asked if they could sponsor me.
They wanted me to review this VSCode extension[1].
Everything seems super dodgy: The extension only has 2 reviews, the linked repo[2] doesn't actually contain the source code.
I downloaded the sources from the extension marketplace, but the code is minified and obfuscated. I tried a de-minifier but the file is a few thousand lines long so it's hard to say if there's malicious code.
Is there a way to determine if this extension is safe to use? Simply installing it could give an attacker full access to my machine, right?
[1] https://marketplace.visualstudio.com/items?itemName=solomonkinard.git-blame [2] https://github.com/solomonkinard/public
100% stay away from it.
I think a better question is: "How can you ensure any VS Code extension is safe to use?"
Understanding exactly what an extension does and getting clarity around how it operates is something that I'd like to better understand as well.
It makes me think that moving to other editors like Neovim might be a safer way to go, if Microsoft has created an environment where malicious plug-ins can operate.
Thanks, yeah, I def won't install it.
Looks like there are some calls to `fs` and `path`, so it's definitely reading the file system, which could be legitimate, but yeah hard to say.
Kinda wild that simply installing an extension can give the author full access and there isn't really a way to verify extension code.
I mean even if they had linked a repo that actually contained code, how can I know that the code from the repo is actually the same that gets downloaded when the extension is installed?