If your organization doesn’t manage extensions and your users can freely install any browser and VSCode addons, you have an unmanaged code execution surface running with potentially elevated trust on your devices. The GitHub breach last month is just the latest proof of this.  

GitHub confirmed that around 3,800 internal repositories were exfiltrated after an employee installed a malicious VSCode Extension. The attacker didn’t need to phish credentials, bypass MFA, or exploit a zero-day. They simply waited for a user to install their extension.

The marketplace has been a problem for years 

There was several news about both VSCode extensions and browser extensions containing malicious code. However, browser extensions are more widespread; they install productivity tools, AI chatbots, grammar checkers etc.,and have broad access to every site they visit (yes, including your internal web apps).  

They can read and modify page content, intercept and alter network requests, access stored cookies and session tokens, capture keystrokes, and run silently in the background. A legitimate extension acquired by cyber criminals could contain malicious code via updates.  

Most organizations have no visibility for installed extensions.

What we recommend 

Allowlist: Communicate to your users that only organizationally approved extensions can be installed after (give them at least a week or longer depending on company size) and instruct them to raise tickets with a list of the extensions that should be on the allow list. If they need a new one later, the process is the same. Raise a ticket!  

Use Intune or GPO to enforce extension policy. Chrome, Edge and Firefox, they all support extension management policies. VSCode also supports extension management.  

If you need any help with the implementation of extension management policies through Intune or GPO, do not hesitate to contact us.