Because the IDE sits between developers, source code, and build systems. If an extension can access tokens or modify project files, it can become a distribution point for credential theft or code tampering. That risk is amplified when developers trust third-party plugins more than they inspect the permissions they grant.
Why This Matters for Security Teams
Malicious IDE extensions are a supply chain risk because they operate inside the developer’s trusted execution path, where source code, secrets, and build actions converge. That makes them more dangerous than a normal desktop app: an extension can read open files, alter code before commit, or intercept tokens used by cloud and CI systems. Once a plugin is installed, its access often looks indistinguishable from legitimate productivity tooling.
The risk is not theoretical. NHIMG’s Reviewdog GitHub Action supply chain attack and Shai Hulud npm malware campaign show how quickly trusted tooling can become a secret-exfiltration channel. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that software supply chain trust has to be managed, not assumed. In practice, many security teams encounter extension abuse only after secrets have already been copied or commits have already been tainted, rather than through intentional review of plugin permissions.
How It Works in Practice
An IDE extension typically inherits broad local privileges: access to project folders, clipboard contents, command execution, network calls, and sometimes authenticated sessions to package registries or cloud consoles. That combination makes the IDE a distribution point, not just a coding aid. A malicious extension can wait until a developer opens a sensitive file, scrape credentials from environment variables, rewrite dependency files, or insert subtle backdoors into source before the code ever reaches review.
For development teams, the practical control set is a mix of software supply chain governance and NHI hygiene. The OWASP Non-Human Identity Top 10 is useful here because extensions often interact with API keys, service tokens, and other secrets that should be treated as NHIs, not informal convenience credentials. NHIMG’s Top 10 NHI Issues also highlights the operational cost of unmanaged credential sprawl. One relevant data point from The State of Secrets in AppSec is that only 44% of developers follow security best practices for secrets management, which means plugin abuse often succeeds because developers have already normalized weak handling of tokens.
- Restrict extension installation to curated allowlists and signed publishers where possible.
- Review requested permissions, especially file system, network, terminal, and token access.
- Keep developer secrets short-lived and scoped, so a stolen token has limited blast radius.
- Use endpoint and repository monitoring to catch unexpected code changes or outbound exfiltration.
- Separate personal developer privileges from build and release identities whenever possible.
These controls tend to break down when teams allow unrestricted marketplace installs on developer laptops that also hold long-lived cloud credentials.
Common Variations and Edge Cases
Tighter extension controls often increase developer friction, so organisations have to balance velocity against the risk of turning every plugin into an unmanaged software supplier. Best practice is evolving, but there is no universal standard for extension vetting maturity yet. Some teams rely on marketplace reputation, others require internal approval, and mature environments increasingly combine both with runtime monitoring.
Edge cases matter. A harmless-looking extension can still become dangerous if it can read terminal output, because tokens often appear in logs or command history. Remote development environments reduce some endpoint exposure, but they can also centralise more sensitive credentials in a smaller number of high-value systems. AI-assisted coding tools raise the stakes further because they may process snippets that include secrets or proprietary code outside the organisation’s direct controls, which is why the patterns seen in NHIMG’s LiteLLM PyPI package breach and JetBrains GitHub plugin token exposure remain highly relevant. The right response is not to ban all extensions, but to treat them as supply chain software that requires inventory, review, and revocation readiness.
For broader governance, teams should map these risks to NIST SP 800-53 Rev 5 Security and Privacy Controls for access control, software integrity, and monitoring.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | IDE extensions often steal or misuse tokens and keys tied to non-human identities. |
| OWASP Agentic AI Top 10 | Malicious extensions behave like embedded tool-using agents inside trusted workflows. | |
| CSA MAESTRO | Developer tooling is part of the broader agentic and software supply chain attack surface. | |
| NIST AI RMF | IDE extensions create AI-adjacent workflow risk through opaque, dynamic behavior. | |
| NIST CSF 2.0 | PR.IP-1 | Secure development and supply chain practices directly apply to IDE extension governance. |
Assume tool access can be abused and add runtime checks before any extension can read, write, or exfiltrate data.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org