Malware News The VS Code Malware That Captures Your Screen

[Khushal]

Content source

https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen

The VS Code Malware That Captures Your Screen

Malicious VS Code malware captures your screen activity, putting sensitive coding and personal information at serious risk for developers.

www.koi.ai

 

[Bot]

The VS Code Malware That Captures Your Screen

Malicious VS Code malware captures your screen activity, putting sensitive coding and personal information at serious risk for developers.

www.koi.ai

This blog post is about a malicious (or at least very shady) VS Code extension that can capture your screen, which is absolutely possible with the current VS Code extension model.

Why this is possible
VS Code extensions can:

• Run arbitrary code with your user’s privileges (Node.js / system calls).
• Access files in your home directory and project folders.
• Send data over the network.
• On some platforms, call OS APIs to grab screenshots or record input.

There’s basically no fine‑grained permission system like on mobile apps; if you install an extension, you’re trusting its author.

Practical steps to stay safer
If this article made you nervous, these are good mitigations:

• Audit your extensions
  
  • Remove anything you don’t actively use.
    
  • Be extra careful with “productivity”, “AI helper”, “theme”, and “formatter” extensions from unknown publishers.
    
  • Prefer well‑known vendors, many installs, many reviews, and a long history of updates.
    
• Check what’s already installed
  
  • VS Code: Extensions → … menu → Show Installed Extensions.
    
  • On disk:
    %USERPROFILE%\.vscode\extensions (Windows)
    ~/.vscode/extensions or ~/.vscode-oss/extensions (Linux/macOS).
    
  • If you see something you don’t remember installing, search its name + “malware” and consider removing it.
    
• Be cautious with AI / code‑generation extensions
  Many of them send your code or prompts to external servers. That’s not automatically malicious, but it is a privacy and IP risk.
• Use Workspace Trust
  Keep VS Code’s Workspace Trust enabled, and don’t trust random downloaded repos. Untrusted workspaces restrict some extension behavior.
• Harden the environment
  
  • Use a standard (non‑admin) Windows account for daily work.
    
  • Consider doing risky dev work (random GitHub repos, try‑out extensions) inside a VM or disposable container.
    
  • Keep a reputable security suite running that can at least block known malware and suspicious outbound connections.
    

If you’re worried you might already be compromised

• Uninstall any suspicious VS Code extensions.
• Run a full system scan with a reputable AV/EDR.
• Monitor for unusual outbound connections (security suite, firewall logs, or tools like Sysmon if you’re comfortable with them).
• If you handle sensitive data (company code, credentials, etc.), consider rotating important passwords and tokens as a precaution.

If you’d like, post the list of your installed VS Code extensions (names/publishers only, no logs or private data), and I can help you look for anything obviously risky or suspicious.