VS Code extension + settings audit Sideloaded extensions, untrusted publishers, workspace-trust disablement, MITM proxy, shell hijacks, project-scoped risky keys (V1-V7).
VS Code extensions run with the user's privileges, share the window's network access, and (with no sandbox in the stable build) can read every workspace file the operator opens. A malicious extension OR a settings.json that disables workspace trust is silent code-exec on developer hosts.
Config locations searched
Extension directories (auto-discovered):
~/.vscode/extensions/~/.vscode-insiders/extensions/~/.vscode-oss/extensions/~/.cursor/extensions/~/.windsurf/extensions/%APPDATA%/Code/User/extensions/(Windows)
Settings files (all platforms):
~/Library/Application Support/Code/User/settings.json(macOS)~/.config/Code/User/settings.json(Linux)%APPDATA%/Code/User/settings.json(Windows)- Equivalents for Code-Insiders + Cursor
- Project-scoped:
./.vscode/settings.json(ships in repos — higher risk)
What's parsed
Extensions: publisher, name,
version, main,
activationEvents, contributes.commands
count, declared capabilities, and the
.vsixmanifest's sourceMarketplace tag to
distinguish Marketplace vs sideloaded VSIX.
Settings (JSONC-tolerant — // and /* */ comments + trailing
commas): workspace trust enabled, untrustedFiles mode,
http.proxyStrictSSL, shell + automation-profile
overrides per OS, task auto-detect, extension auto-update.
Trusted-publisher allowlist
KNOWN_GOOD_PUBLISHERS covers Microsoft, GitHub,
Anthropic, Continue, Cline, Roo, Cursor, language servers
(ms-python, rust-lang, golang,
redhat, dbaeumer, biomejs,
charliermarsh, etc.), AWS, Google, HashiCorp,
Azure-tools.
Extend via DIGGER_VSCODE_TRUSTED_PUBLISHERS
(comma-separated).
Detection layers (V1–V7)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| V1 | medium | Sideloaded extension — .vsixmanifest doesn't carry the Marketplace source. Skipped Marketplace review; legit for in-development, suspicious otherwise. | T1195.002 |
| V2 | medium | Untrusted publisher — not on KNOWN_GOOD_PUBLISHERS allowlist. | T1195.002 |
| V3 | high | security.workspace.trust.enabled = false. Workspace trust is what prevents auto-tasks-on-open in a freshly-cloned repo. | T1546 |
| V4 | medium | security.workspace.trust.untrustedFiles = "open". Files outside trusted folders auto-load. | T1546 |
| V5 | high | http.proxyStrictSSL = false. MITM-permissive — every extension's calls (Copilot, Continue, Marketplace, language servers, telemetry). | T1557 |
| V6 | high | Terminal shell or automation-profile points at a writable / scratch path (/tmp, /Users/Shared, /private/var/folders). Hijacks every terminal the user opens. | T1059 |
| V7 | high | Project-scoped .vscode/settings.json sets any of the above risky keys. Clone + open auto-trips. Escalation of the per-key finding. | T1195.002 |
CLI
$ digger vscode audit --case-dir /tmp/case [--roots ext_root1,ext_root2]
[vscode] extensions audited: 47
[vscode] sideloaded: 1
[vscode] settings files audited: 3
[vscode] with risky keys: 0
[vscode] artifacts emitted: 50