Editor pluginVS Code
VS Code extensions, checked before they run in your editor.
A VS Code extension runs with your editor's privileges. Extuno diffs each update and runs it live to catch workspace-trust abuse, task injection, and credential theft - static, dynamic, and AI analysis on every scan.
VS Code - live inspectionInspecting
Theme Pro 4.2.0
vs code plugin
4.1.0->4.2.0vs code plugin
Static
Dynamic
AI
Analyzing update
What Extuno catches in VS Code
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
Workspace-trust abuse
An update auto-runs a task on folder open, before you opt in.
Critical
Diff finding
Credential theft
The extension reads ~/.aws and environment tokens and exfiltrates them.
Critical
Diff finding
New child process
A build step spawns a shell that was not present in the prior version.
Review
See it on a poisoned update
From editor trust to token theft
Extuno runs the extension in a sandbox and records the exact chain from trust prompt to exfiltration.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the code without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
- 1Open workspace
- 2Extension requests trust
- 3Runs a build task
- 4Spawns hidden shell
- 5Exfiltrates ~/.aws + tokens
Scan your first VS Code plugin free.
Your first 5 credits are free - that is 5 full scans, no card required.