Subscribe to the Non-Human & AI Identity Journal

What breaks when a developer extension can run remote code on startup?

The control assumption that an extension is a passive tool breaks immediately. Startup activation plus shell execution turns the editor into a code runner with access to whatever credentials and sessions exist on the workstation. That can expose source-control tokens, cloud credentials, and SSH keys before any user prompt or review step occurs.

Why This Matters for Security Teams

A developer extension that can run remote code on startup is not a harmless productivity feature. It changes the trust boundary from “editor add-on” to “unreviewed execution path on a privileged workstation.” That means source-control tokens, cloud sessions, SSH keys, and browser-authenticated access can be exposed before any human sees a prompt. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls treats this as a control and software supply chain problem, not just an application bug.

NHIMG research shows how often identity material becomes the blast radius: the Ultimate Guide to NHIs reports that 96% of organisations store secrets outside secrets managers in vulnerable locations such as code, config files, and CI/CD tools. In practice, a startup-executing extension can reach those secrets faster than most detection workflows can react. In practice, many security teams encounter the compromise only after tokens have already been reused elsewhere, rather than through intentional review of the extension’s runtime behaviour.

How It Works in Practice

The failure mode is simple: the extension inherits the workstation’s trust and then executes remote instructions at the earliest possible moment. That creates a pre-authentication, pre-review execution channel that can read files, inspect environment variables, call local tools, and reach networked services under the user’s session. The security question is no longer “Is the extension approved?” but “What can code launched by the extension do before policy or user awareness intervenes?”

Operationally, teams should treat this as a software provenance and workload identity issue. A safe baseline is to allow only signed, allowlisted extensions, restrict outbound network access for the editor process, and separate developer credentials from the general desktop session. Secrets should come from short-lived brokers, not local persistence. Where feasible, use just-in-time access, device posture checks, and per-task authorisation so the extension cannot inherit broad standing privilege.

  • Constrain startup hooks so remote fetches cannot trigger arbitrary shell execution.
  • Run extensions in a sandbox or isolated profile with minimal filesystem and network reach.
  • Prefer short-lived tokens over long-lived API keys, and revoke them automatically after use.
  • Monitor for credential access, child process spawning, and unusual local discovery behavior.

For implementation detail, combine Schneider Electric credentials breach lessons with NIST’s control model and secrets hygiene guidance in The State of Secrets in AppSec, which highlights how slow remediation and scattered secret storage amplify initial access. These controls tend to break down when extensions are permitted to launch helper processes with full user privileges because the editor becomes indistinguishable from an operator-controlled automation host.

Common Variations and Edge Cases

Tighter extension controls often increase developer friction, so organisations have to balance productivity against exposure. That tradeoff is especially visible in VS Code-like ecosystems, internal plugin marketplaces, and teams that rely on remote development containers.

Current guidance suggests that “trusted publisher” labels alone are not enough when remote code can run on startup. Best practice is evolving toward layered trust: extension signing, static review, network egress limits, and separation of credentials from the interactive desktop. There is no universal standard for this yet, so teams should adapt the control set to the local risk profile rather than assume one policy fits every developer environment.

Edge cases matter. If the workstation also holds cloud console sessions, SSO refresh tokens, or SSH agent forwarding, the extension’s blast radius grows significantly. If the environment uses shared jump boxes or persistent dev VMs, one compromised startup path can affect multiple projects. The safest pattern is to pair editor hardening with rapid secret rotation and offboarding discipline, especially where Google Firebase misconfiguration breach-style exposure can turn a single misstep into broad data access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Remote startup code can expose and reuse non-human secrets immediately.
NIST CSF 2.0 PR.AC-4 Startup code execution depends on overbroad access tied to the user session.
NIST AI RMF Unreviewed startup execution is a governance and runtime risk requiring accountability.

Inventory extension-reachable secrets and enforce rotation, revocation, and least privilege for every exposed NHI.