highPlugin·May 14, 2026

AGS-2026-0014

HelixGuard finds 12 malicious VS Code marketplace extensions — 4 still live

What happened

HelixGuard's research team identified 12 malicious extensions across the Microsoft VS Code Marketplace and OpenVSX. Four were still active at time of disclosure despite detection.

Indicators

Extensions that ship a postInstall script invoking child_process.
Extensions that include a packaged node_modules containing obfuscated code (legitimate extensions usually don't ship deps).
Outbound POSTs to non-publisher domains in network logs.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References

https://gbhackers.com/vscode-marketplace/