Subscribe to the Non-Human & AI Identity Journal

How should security teams handle VS Code extensions that change after installation?

Treat the extension as a versioned trust relationship, not a one-time approval. Revalidate when a publisher updates code, especially if the extension auto-activates, downloads remote content, or can execute on startup. The safest model is continuous review of the installed version, the publisher’s behaviour, and the endpoint context where the extension runs.

Why This Matters for Security Teams

VS Code extensions are not static software artifacts. A trusted extension can change behaviour after installation through publisher updates, remote code loading, new activation events, or added network reach. That matters because the security decision was often made once, while the risk evolves continuously. NHI Management Group’s Ultimate Guide to NHIs notes that 96% of organisations store secrets outside secrets managers in vulnerable locations, which makes developer tooling a high-value control point. This is not just endpoint hygiene; it is a trust-lifecycle problem.

Security teams often miss that an extension can behave like a privileged workload identity inside the developer environment. It may read files, call external services, inject commands, or auto-run on startup. That means the relevant question is not only whether the extension was approved, but whether its current version still deserves that approval under the endpoint context where it executes. Current guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls supports continuous monitoring and configuration management rather than one-time trust decisions. In practice, many security teams encounter extension abuse only after a publisher update or supply-chain change has already expanded access.

How It Works in Practice

The safest operational model is to treat each installed extension as a versioned trust relationship. That means the approval is tied to the specific publisher, package version, activation behavior, permissions, and the endpoint context in which it runs. When any of those changes, the trust decision should be revalidated. For teams managing developer fleets, this is best handled through policy-as-code, inventory, and change detection rather than manual review alone.

Practical controls usually include:

  • Maintain an allowlist of approved extensions with pinned versions or narrow update ranges.
  • Track publisher identity, release notes, and behavioral deltas such as new activation triggers or network calls.
  • Re-scan extensions after update for bundled scripts, post-install actions, and remote content retrieval.
  • Monitor endpoint telemetry for unexpected child processes, file access, credential reads, or outbound connections.
  • Require elevated review when an extension can execute on startup, modify workspace files, or access secrets.

For identity-adjacent controls, the key lesson from the Ultimate Guide to NHIs is that long-lived trust is usually where compromise persists. If an extension can reach tokens, API keys, or internal services, its privilege should be treated like a non-human identity with an explicit lifecycle. NIST’s control set also reinforces that change management, system monitoring, and least privilege need to be applied after installation, not only at procurement. These controls tend to break down in developer environments that auto-update extensions silently and allow unrestricted outbound internet access because new behavior can land before review completes.

Common Variations and Edge Cases

Tighter extension control often increases friction for developers, requiring organisations to balance safety against speed and usability. That tradeoff becomes sharper in large engineering teams, remote work setups, and environments where extensions are updated automatically by user choice. There is no universal standard for this yet, but current guidance suggests treating high-risk extensions differently from low-risk productivity add-ons.

Common edge cases include marketplace extensions that fetch remote rules or models after install, open-source tools that change behavior across minor releases, and enterprise extensions that are safe only inside a specific network or workspace boundary. In those cases, version pinning alone is not enough if the extension can still pull remote code or content. Some teams also separate “approved for install” from “approved for execution,” which is useful when an extension is only permitted in sandboxed developer images or managed workstations.

The strongest programs combine software inventory, publisher reputation checks, runtime telemetry, and rapid revocation when behavior changes. Where teams lack endpoint visibility or cannot inspect update behavior, the control degrades quickly and should be assumed incomplete. That is especially true for extensions that can auto-activate on file open, clone remote configuration, or interact with secrets before a user notices the change.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Version drift in extensions maps to changing non-human identity trust and credential exposure.
NIST CSF 2.0 PR.AC-4 Least privilege and access review apply when extensions gain new capabilities.
NIST AI RMF Agent-like extension behavior changes require ongoing risk monitoring and governance.

Continuously assess extension behavior, context, and impact as conditions change.