Subscribe to the Non-Human & AI Identity Journal

How should security teams handle malicious IDE extensions in developer environments?

Security teams should treat IDE extensions as governed software with access implications, not harmless productivity add-ons. Start by inventorying all extensions, reviewing declared permissions and activation events, and removing anything that executes code, reaches remote services, or touches credentials without a clear business need. Pair that with endpoint monitoring and approval workflows for privileged developer machines.

Why This Matters for Security Teams

malicious ide extension are risky because they sit inside the developer workflow with broad visibility into code, prompts, repositories, terminals, and often secrets. That makes them more than productivity tools; they are software supply chain components with access implications. Security teams should treat them as governed code, especially when extension marketplaces and updates can be abused to deliver credential theft, remote execution, or silent exfiltration. NIST’s control model for software and access governance remains relevant here, but the enforcement point has shifted closer to the endpoint and the developer’s daily tooling, not just the network boundary, as reflected in NIST SP 800-53 Rev 5 Security and Privacy Controls.

NHIMG research on adjacent compromise patterns shows why this matters operationally: the JetBrains GitHub plugin token exposure and Cisco DevHub NHI breach both illustrate how trusted developer tooling can become an identity and secrets pathway. In practice, many security teams encounter the abuse only after tokens, API keys, or source code have already been accessed through a “helpful” extension.

How It Works in Practice

The practical response starts with classifying extensions by capability, not by vendor popularity. Security teams should inventory every extension in approved IDEs, then separate low-risk formatters and linting tools from extensions that can execute arbitrary code, open network connections, or read clipboard, terminal, and filesystem content. The key question is whether the extension can observe or influence data that includes secrets, build artifacts, or authentication material.

A workable control pattern is to combine policy, endpoint enforcement, and developer workflow friction only where it matters:

  • Require approval for any extension with remote-code execution, outbound API access, or secret-scanning permissions.
  • Block installation of unsigned, unmanaged, or outdated extensions on privileged developer machines.
  • Log extension install, update, activation, and permission changes centrally for review.
  • Use EDR and DLP signals to detect unusual terminal access, credential reads, or exfiltration paths.
  • Revalidate extensions after major version updates, because permission drift is a common failure mode.

For teams handling sensitive code, the baseline should include secrets hygiene at the editor boundary. NHIMG’s State of Secrets in AppSec reports that only 44% of developers follow secrets-management best practices, which means extensions that can surface, copy, or transmit credentials are operating in an already fragile environment. That risk aligns with broader guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls around least privilege, monitoring, and configuration control.

Teams should also tie extension governance to identity-aware access policies. If an extension needs repository or secrets-manager access, that access should be mediated through approved service identities, short-lived tokens, and explicit approval workflows rather than personal developer credentials. These controls tend to break down when organisations allow unmanaged laptops or local admin rights, because the extension store and the endpoint become the easiest place for policy bypass.

Common Variations and Edge Cases

Tighter extension controls often increase developer friction and can slow onboarding, so organisations have to balance productivity against the blast radius of a compromised editor. That tradeoff is especially important for AI-assisted extensions, where behavior may change as models, prompts, or connected services change over time.

Current guidance suggests a stricter stance for extensions that touch credentials, source control, or external services, but there is no universal standard for how much telemetry is enough. Some teams can safely allow a broad catalog on low-trust workstations, while regulated environments should use allowlists only. The deciding factor is whether the machine can reach production secrets, signing keys, or internal package registries.

Edge cases also include temporary contractor devices, remote debugging add-ons, and extensions distributed through private marketplaces. Those environments need the same scrutiny as public plugins because supply-chain compromise often arrives through trusted distribution paths. Where the extension ecosystem is heavily custom or legacy IDEs are still in use, security teams should prioritise allowlisting, device posture checks, and rapid removal procedures over broad catalog management.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Malicious extensions often expose or mishandle secrets and tokens.
OWASP Agentic AI Top 10 AG-04 Extensions with autonomous or code-executing behavior expand tool abuse risk.
CSA MAESTRO GOV-02 Developer tooling governance is part of broader AI and software supply-chain control.
NIST CSF 2.0 PR.AC-4 Extension permissions must be constrained to least privilege.
NIST AI RMF If AI-assisted extensions are used, governance must address unpredictable model-driven behavior.

Apply AI RMF governance to review AI-enabled extensions for access, monitoring, and accountability.