ETHSecurity Community

We are seeing a lot more attacks utilizing malicious VSCode and Browser extensions (although these have been around for a while).

For browser extensions you can use "managed chrome" instances to control what can/cant be installed to make sure no extensions are installed that are malicious. You can also choose to block particularly bad extensions.

For VSCode extensions you are basically SOL, right now my advice is this:

Wherever possible please use [vscode.dev](http://vscode.dev) to open untrusted projects as it means that there is little chance they can execute code on your behalf. VSCode projects can execute arbitrary code when opening if you click “I trust this application/codebase”

If you want to scan the extensions before installing you can use this to validate both chrome and vscode extensions:

https://www.extensiontotal.com/