Issue #179  (Crypto-stealing VS Code Extensions)09/24/25

This newsletter features many VS Code extensions and tools that I don't personally have the time to check out myself. I install a few of them (like themes for example) but not all the tools that I share. As today's articles section makes clear, there are risks with extensions.

So this is just a friendly reminder that you should always triple check before installing any VS Code extension and, if possible, take measures to ensure you're installing a safe extension.

Here are a few relatively easy things you can do:

• Check the extension publisher's identity. For example, confirm if it's an official account, has a real website, has a verified badge from Microsoft, has multiple extensions in the marketplace, and so on.
• Examine user reviews and install numbers. Naturally, every extension starts at zero installs, but it's good to be weary of low install numbers and no reviews.

There are other measures you can take, if you're up for it, to be even more cautious about what you install:

• View the extension on GitHub and look at the code in the VSIX file. You can download the VSIX file on GitHub or while viewing the extension page inside VS Code (click the cog icon on the extension page).
• Also on GitHub, look at the extension's package.json and take note of any "postinstall" scripts or binaries in the file.

If you want more info on what kinds of things to look for with malicious extensions, the article linked below points to an X thread by Zak Cole who was recently a victim of one of these bad actors. One of his posts is shown below, where he describes why he got taken in:


As mentioned, I can't possibly verify the authenticity and safety of every extension I share in this newsletter, so make sure you always take precautions.

Now on to this week's hand-picked links!

VS Code Tools

kluster.ai — A VS Code extension that helps you catch and fix hallucinations, security vulnerabilities, and logic errors as AI generates code. Also available for Cursor and Claude Code.

LeoJS — A JavaScript implementation of the Leo Editor, written as a VS Code and VSCodium extension. The Leo Editor is an outliner, editor, IDE and PIM written in 100% Python.

Tooltester Newsletter — Less noise and only the best AI & digital marketing tools. Get one weekly email with the best picks for smarter work. Sponsor

dbt — A VS Code extension for dbt, a platform that lets you build modular, maintainable data products that power analytics, operations, and AI. See articles section below for an announcement post.

VS Code Articles & Videos

Introducing Auto Model Selection (Preview) — A new feature now in preview mode in VS Code, enabling faster responses, a lower chance of rate limiting, and 10% off premium requests for paid users.

'WhiteCobra' Floods VS Code Market with Crypto-Stealing Extensions — The latest news in VS Code security, this one more concerning because apparently it wasn't initially completely resolved. There doesn't seem to be an update to the situation, but a good warning to be careful with new extensions and lookalikes.

The Morning Paper for Tech — Want a byte-sized version of Hacker News that takes just a few minutes to read? Try TLDR's free daily newsletter. It covers the most interesting tech, startup, and programming stories in just 5 minutes. No sports and no politics. Sponsor

Fusion and the dbt VS Code Extension are Now in Preview for Local Development — The dbt Fusion engine is now in preview for local development on Snowflake, Databricks, BigQuery, and Redshift, available in both the dbt VS Code extension and the CLI (see tools section above for extension link).

Suggestions?

If you have any link suggestions, including a tool, article, or other resource related to VS Code or another IDE, you can hit reply, send it via DM on X, or via chat on Bluesky.

That's it for this issue.

Happy VS Coding!
Louis
VSCode.Email
@LouisLazaris