Editor pluginVS Code

VS Code extensions, checked before they run in your editor.

A VS Code extension runs with your editor's privileges. Extuno diffs each update and runs it live to catch workspace-trust abuse, task injection, and credential theft - static, dynamic, and AI analysis on every scan.

VS Code - live inspectionInspecting
Theme Pro 4.2.0
vs code plugin
4.1.0->4.2.0
Static
Dynamic
AI
Analyzing update
What Extuno catches in VS Code

Evidence, not guesswork.

Each finding names the change, why it is dangerous, and the recommended action.

Diff finding

Workspace-trust abuse

An update auto-runs a task on folder open, before you opt in.

Critical
Diff finding

Credential theft

The extension reads ~/.aws and environment tokens and exfiltrates them.

Critical
Diff finding

New child process

A build step spawns a shell that was not present in the prior version.

Review
See it on a poisoned update

From editor trust to token theft

Extuno runs the extension in a sandbox and records the exact chain from trust prompt to exfiltration.

  • + Vulnerability and secret-leak testing on every version
  • + Static analysis reads the code without running it
  • + Dynamic sandbox runs it live and records behavior
  • + AI code analysis reads the full source and correlates the change against prior versions
  1. 1Open workspace
  2. 2Extension requests trust
  3. 3Runs a build task
  4. 4Spawns hidden shell
  5. 5Exfiltrates ~/.aws + tokens

Scan your first VS Code plugin free.

Your first 5 credits are free - that is 5 full scans, no card required.