TL;DR: The SaassyCode campaign added five more malicious VS Code extensions in two days, bringing the total to 24 confirmed extensions and more than 32,000 installs, with one still live and using the same lure, activation pattern, and execution chain, according to Knostic. The persistence of the campaign shows how extension ecosystems can outpace manual review and why developer workstation controls must treat IDE extensions as a supply-chain and identity risk, not just a productivity feature.
NHIMG editorial — based on content published by Knostic: SaassyCode’s VS Code extension campaign showing active malware persistence
By the numbers:
- As of June 11, the campaign stands at 24 confirmed extensions and more than 32,000 installs across the full campaign.
Questions worth separating out
Q: What should security teams do when a VS Code extension starts spawning script hosts?
A: Treat code.exe spawning cscript.exe or mshta.exe as a high-confidence compromise signal, not as normal editor behavior.
Q: Why do malicious developer extensions increase identity risk?
A: Because they can inherit trust from a managed workstation and reach the same secrets, session artifacts, and local credentials that attackers value in other NHI compromise paths.
Q: How can organisations reduce risk from silent extension updates?
A: Use separate approval for first install and for subsequent version changes, especially where extensions can execute code or access local files.
Practitioner guidance
- Inventory all installed VS Code extensions Build an enterprise inventory of installed extensions, including version history and publisher name, so you can identify the live Boardwalk Plus package and any lookalike publisher variants.
- Hunt for suspicious process ancestry Alert on code.exe spawning cscript.exe or mshta.exe, then check whether the child process wrote script files into %TEMP% or executed from an extension directory.
- Review auto-update behavior for developer tools Separate initial approval from update approval for extensions, because a clean first release can later deliver malicious functionality through the normal marketplace channel.
What's in the full article
Knostic's full research covers the operational detail this post intentionally leaves for the source:
- Full extension metadata for the Boardwalk cluster, including publisher names, install counts, and version identifiers.
- Static source-code findings from extension.js, including the exact activation logic and dropper chain.
- Additional indicators of compromise, including file paths, hashes, and network IOCs not reproduced here.
- Remediation notes and methodology details for analysts validating the campaign across managed endpoints.
👉 Read Knostic's analysis of the SaassyCode VS Code extension campaign →
VS Code extensions, active persistence, and what developers should check?
Explore further
Trusted developer tooling is now part of the identity attack surface. A malicious extension does not need to break authentication to matter. It can inherit trust from the developer workstation, then abuse that trust to reach secrets, session artifacts, and downstream services. The practitioner implication is that workstation software provenance now belongs in identity governance, not only endpoint hygiene.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What is the difference between extension allowlisting and workload identity governance?
A: Extension allowlisting controls what can run on the developer endpoint, while workload identity governance controls what tokens, keys, and service accounts that endpoint can reach. In practice, you need both. A trusted workstation can still become the launch point for secret theft, so identity controls must extend into the tools developers use every day.
👉 Read our full editorial: SaassyCode’s VS Code extension campaign shows active malware persistence