6/6 | Uncover Hidden Risks: CISO’s Guide to Using ExtensionTotal API for Your Organization
After publishing our research and releasing ExtensionTotal, I’ve had the privilege of working with security teams from amazing companies. Today, ExtensionTotal’s API is used by dozens of organizations in many different configurations, all to battle the risk of Visual Studio Code extensions.
Consider this guide the culmination of all the experience I had integrating ExtensionTotal into different organizations from aviation companies, to deep-tech companies, to cybersecurity companies.
Let’s get started.
I’m a CISO, Why Should I Care?
If you haven’t already, before reading much further, you should read the research we published a few weeks ago about “How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension”. It will provide much needed context into the dangers surrounding our developers today.
Regardless, lets touch on it briefly.
Visual Studio Code (VSCode, the most popular IDE in the world) extensions were ultimately designed with a lack of fundamental boundaries. They can execute arbitrary code, spawn child processes, and access system resources without any limitation and with a lack of any permission model. Meaning users have zero visibility on what actions extensions perform. Furthermore, the VSCode Marketplace has minimal controls, enabling malicious extensions to easily gain credibility and exposure to developers to the point where our research extension (As discussed in our first blog post) reached thousands of developers and multiple multi-billion dollar market cap companies, including one of the biggest cybersecurity companies in the world, without any solicitation or major effort from us. These issues pose a significant threat to organizations worldwide.
As a CISO, you buy and implement a plethora of security products and layers to protect your organization, unfortunately, this attack vector has shown to bypass most if not all of these layers, making it one of the highest risk attack vectors a developer is exposed to in an organization.
I highly recommend reading our entire research to fully grasp the risks of this dangerous attack vertical —
1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension
2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace
3/6 | A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions
Okay, I Got It. It’s a High Risk and High Impact Attack Vertical, What Can I Do?
Well, use ExtensionTotal. ExtensionTotal is a tool that, given an extension name, ID or URL, can assess the risk of VSCode extensions.
We unpack and dive deep into the extension, running vulnerability checks on the code and its dependencies, gathering data about the publisher background, monitoring if the extension communicates externally, checking for leaked secrets, and even providing code insights using AI to understand what the code is built to do.
ExtensionTotal provides an API for organizations to automate VSCode extension risk assessment. Today, this API is used by dozens of organizations every minute.
Nice! So How Do I Go About Integrating ExtensionTotal in My Organization?
ExtensionTotal is used in many different ways and configurations inside organizations, you should choose which way works best for you and fits your organization’s profile.
Lets touch on a few of the common configurations -
Using ExtensionTotal API through your MDM
This is probably the most recommended and common way to integrate ExtensionTotal in your organization.
The way this works is by running a script (Bash/Power-shell) on all your endpoints using your MDM. The purpose of the script is to collect all installed VSCode extensions using the code command, and check them against ExtensionTotal’s API to collect the risk.
You can either, use the MDM to only collect all extensions, then use ExtensionTotal’s API to assess their risk, or assess the risk directly on the endpoint. Usually this won’t matter as the API key for organizations has no rate limit.
Here is an example, of a JumpCloud script (MacOS endpoints) for using ExtensionTotal’s API —
#!/bin/bash
loggedInUser=$(stat -f "%Su" /dev/console)
codePath="/Applications/Visual Studio Code.app/Contents/Resources/app/bin/code"
cd /Users/"$loggedInUser"
codeExtensions=$(sudo -u "$loggedInUser" "$codePath" --list-extensions)
jsonResult="{\"extensions\":["
while IFS= read -r line || [[ -n $line ]]; do
content=$(curl -s --location 'https://app.extensiontotal.com/api/getExtensionRisk' \
--header 'Content-Type: application/json' \
--header 'Cookie: SameSite=None' \
--header 'x-api-key: <YOUR_API_KEY>' \
--data "{
\"q\": \"$line\"
}")
jsonResult+="$content,"
done < <(printf '%s' "$codeExtensions")
jsonResult=${jsonResult%,}
jsonResult+="]}"
echo "$jsonResult"We’ve worked closely with organizations to customize the script for their MDMs and use-cases. Feel free to reach out and we’ll help you adapt the script for your MDM. Here is another example for Windows endpoints —
$codeExtensions = $(code --list-extensions)
Write-Output += "Found $($codeExtensions.Count) extensions to check..."
$extArray = @()
foreach ($extension in $codeExtensions) {
$headers = @{
"Content-Type" = "application/json"
"Cookie" = "SameSite=None"
"X-API-Key" = "API_KEY_HERE"
}
$payload = @{
"q" = $extension
}
$response = Invoke-WebRequest -Uri 'https://app.extensiontotal.com/api/getExtensionRisk' `
-Method Post `
-Body $( $payload | ConvertTo-Json) `
-Headers $headers
$responseContent = $response.Content | ConvertFrom-Json
$extArray += $responseContent
Start-Sleep -Seconds 10
}
$extArray | Sort-Object -Property risk -Descending | Format-Table -Property display_name, version, risk, updated_at Using FleetDM + Tines
If your organization is using FleetDM and Tines, one of our users, Dave Herder, has published a LinkedIn article on how to integrate ExtensionTotal with FleetDM and a Tines integration he developed. Check out his article here —
Install ExtensionTotal On All Developer Endpoints
Another way to go, which several organizations has opted to, is to send out a policy to all developers to install ExtensionTotal’s VSCode Extension.
I’ve actually developed an extension for VSCode that continuously scans all your installed extensions for risky activity and alerts you if / when it finds one, it is used by thousands of developers every day.
One thing to note here, is that each developer will need to create an account at https://app.extensiontotal.com/profile in order to use the extension. So this is not a very efficient way of using ExtensionTotal in a large organization.
On-premises ExtensionTotal
We’ve gotten requests from large organizations to self-host ExtensionTotal, or more correctly, to deploy ExtensionTotal in their cloud and have us manage it. If this is something you are interested in, please reach out here.
Additionally, I highly recommend to read our documentation for more help
Awesome, I Need an API Key, Where Do I Get One?
ExtensionTotal is completely free for personal use, today thousands of developers use ExtensionTotal to protect their VSCode environments.
Still, ExtensionTotal is a self-funded project. All income goes directly to cover costs of running ExtensionTotal for the security community, we do not aim to make any profit.
In order to keep ExtensionTotal free for personal use, and keep it readily available for everyone, ExtensionTotal’s API requires to purchase a membership here and join as a supporter. We offer only one membership plan “API Access — For Organizational Use” providing unlimited API requests.
Massive shout out to the organizations that already support us today.
We are speaking with new organizations with new environments everyday, and will continue to update here as new methods of using ExtensionTotal arise. If you have a unique use-case and need help to integrate, feel free to reach out. Our goal is to help the security community completely mitigate this problem.
This is the last and final post in this series. I am grateful for all the responses, feedback, and support along this journey and hope to continue delivering more amazing security products for you in the future.
Thanks ❤️ Amit
Make sure to read the rest of our research —
1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension
2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace
3/6 | A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions
4/6 | Introducing ExtensionTotal: How to Assess Risk in VS Code Extensions
