VSCode Logs: The Overlooked Goldmine That Catches Malicious AI Extensions & RATs—DFIR Pros Are Missing This + Video

Listen to this Post

Featured Image

Introduction

Visual Studio Code has become the default development environment for millions, but its extensive logging capabilities remain largely unknown to security teams. While attackers increasingly target developers through malicious extensions—such as MaliciousCorgi AI extensions exfiltrating source code, prettier-vscode-plus delivering Anivia loader and OctoRAT, and TigerJack’s source-code-stealing campaigns—the forensic artifacts left behind in VSCode’s sharedprocess logs provide defenders with a rare opportunity: traces of extension installs, settings sync events, and remote development activity that attackers rarely bother to erase.

Learning Objectives

  • Identify the default log locations for VSCode, Insiders, VSCodium, and portable installs on Windows and Linux.
  • Extract and analyze sharedprocess logs to detect malicious extension installations, credential theft indicators, and remote development anomalies.
  • Implement automated collection scripts and leverage cdxgen to inventory developer workstation extensions as part of incident response.

You Should Know

1. Locating and Collecting VSCode Logs Across Platforms

VSCode maintains timestamped log folders containing a `sharedprocess.log` file that records activity from the long‑running shared process responsible for extension management, settings sync, telemetry, and parts of the remote development workflow. The base path varies by installation type—collecting all variants ensures no evidence is missed.

Step‑by‑step collection guide:

On Windows (standard VSCode):

 Main log directory
%APPDATA%\Code\logs\

Example PowerShell one-liner to copy all logs
Copy-Item -Path "$env:APPDATA\Code\logs\" -Destination "C:\DFIR_Collection\VSCode_Logs\" -Recurse -Force

Windows (Insiders edition):

%APPDATA%\Code - Insiders\logs\

Windows (VSCodium – open source build):

%APPDATA%\VSCodium\logs\

Linux (standard VSCode):

~/.config/Code/logs/

Linux (VSCodium):

~/.config/VSCodium/logs/

Portable installations: Locate the `data` folder inside the portable VSCode directory, then navigate to data\logs\.

Forensic imaging command (Linux):

 Create a timestamped copy preserving metadata
mkdir -p /case/evidence/vscode_logs
cp -r --preserve=all ~/.config/Code/logs/ /case/evidence/vscode_logs/

What these logs contain: Extension installs/updates (including malicious ones), extension host crashes, settings sync authentication attempts, opened workspace paths, remote-SSH session details, and telemetry events. The exact coverage depends on VSCode version, installed extensions, and configured log level.

2. Analyzing SharedProcess.log for Malicious Extension Indicators

The `sharedprocess.log` often records when extensions are downloaded, installed, or updated. For defenders hunting campaigns like the Anivia loader or OctoRAT delivery through prettier-vscode-plus, these logs can reveal the exact timestamp of compromise and the extension ID involved.

Step‑by‑step analysis:

1. Locate the most recent log folder:

 Find latest timestamped directory
ls -lt ~/.config/Code/logs/ | head -5

2. Extract extension install events:

grep -i "installing extension" ~/.config/Code/logs//sharedprocess.log
grep -i "extension installed" ~/.config/Code/logs//sharedprocess.log

3. Look for suspicious extension IDs (non‑marketplace origins):

grep -E "extension..vsix|file://" ~/.config/Code/logs//sharedprocess.log

4. Identify settings sync anomalies (potential credential theft):

grep -i "settings sync" ~/.config/Code/logs//sharedprocess.log
grep -i "authentication" ~/.config/Code/logs//sharedprocess.log

5. Detect remote development activity (SSH tunnels, containers):

grep -i "remote" ~/.config/Code/logs//sharedprocess.log
grep -i "ssh" ~/.config/Code/logs//sharedprocess.log

Windows equivalent commands:

Get-ChildItem -Path "$env:APPDATA\Code\logs\" -Recurse -Filter "sharedprocess.log" | ForEach-Object { Select-String -Path $_.FullName -Pattern "installing extension" }

3. Automating Extension Inventory with cdxgen (AppSec Integration)

As mentioned in the LinkedIn comments, Prabhu S. highlights `cdxgen` with the `-t ide-extension` flag as a powerful method to catalogue all extensions used by developers. This creates a software bill of materials (SBOM) for IDE extensions, which can be compared against known malicious extension lists.

Step‑by‑step extension inventory:

1. Install cdxgen (Node.js required):

npm install -g @appthreat/cdxgen

2. Run extension inventory on a developer workstation:

cdxgen -t ide-extension -o vscode_extensions_sbom.json
  1. Inventory all applications, services, plugins, and extensions (full OS scan):
    cdxgen -t os -o full_workstation_sbom.json
    

4. Compare against threat intelligence feeds:

 Example: grep for known malicious extension IDs
jq '.components[].name' vscode_extensions_sbom.json | grep -iE "maliciouscorgi|prettier-vscode-plus|tigerjack"

Automated collection & alerting script (Linux):

!/bin/bash
 Daily developer workstation check
LOG_DIR="/var/log/vscode_dfir"
mkdir -p $LOG_DIR
DATE=$(date +%Y%m%d)
cdxgen -t ide-extension -o "$LOG_DIR/extensions_$DATE.json"
 Check against a known malicious list
curl -s https://raw.githubusercontent.com/example/malicious-extensions/main/list.txt | while read bad_ext; do
grep -q "$bad_ext" "$LOG_DIR/extensions_$DATE.json" && echo "ALERT: Malicious extension $bad_ext detected" | mail -s "VSCode Threat" [email protected]
done

4. Hardening Developer Workstations Against Extension-Based Attacks

Prevention and detection go hand in hand. Implement the following controls to reduce the attack surface exposed by VSCode extensions.

Group Policy / Registry (Windows):

 Disable automatic extension updates (forces approval)
reg add "HKCU\Software\Microsoft\VS Code" /v "ExtensionsAutoUpdate" /t REG_DWORD /d 0 /f

Restrict extension gallery to private marketplace only
reg add "HKCU\Software\Microsoft\VS Code" /v "ExtensionsGallery" /t REG_SZ /d "https://private-gallery.company.com" /f

Linux lockdown (via settings.json):

{
"extensions.autoCheckUpdates": false,
"extensions.autoUpdate": false,
"extensions.ignoreRecommendations": true,
"workbench.settings.enableNaturalLanguageSearch": false
}

Network monitoring: Alert on outbound connections from VSCode’s extension host to unknown domains. Example Suricata rule:

alert tls $HOME_NET any -> $EXTERNAL_NET $SSL_PORTS (msg:"VSCode extension beaconing"; tls_sni; content:".vscode-unpkg.net"; nocase; sid:1000001;)

5. Incident Response Playbook for Developer Workstations

When a developer workstation lands in your IR queue, follow this VSCode‑specific triage process.

Immediate collection (Windows batch script):

@echo off
set EVIDENCE=C:\DFIR_CASE_%DATE:~-4,4%%DATE:~-10,2%%DATE:~-7,2%
mkdir %EVIDENCE%
xcopy "%APPDATA%\Code\logs\" "%EVIDENCE%\Code_logs\" /E /I /Y
xcopy "%APPDATA%\Code - Insiders\logs\" "%EVIDENCE%\Insiders_logs\" /E /I /Y
xcopy "%APPDATA%\VSCodium\logs\" "%EVIDENCE%\VSCodium_logs\" /E /I /Y

Linux triage script:

!/bin/bash
CASE_DIR="/cases/$(hostname)<em>$(date +%Y%m%d</em>%H%M%S)"
mkdir -p $CASE_DIR
for path in ~/.config/Code/logs/ ~/.config/Code\ -\ Insiders/logs/ ~/.config/VSCodium/logs/; do
[ -d "$path" ] && cp -r "$path" "$CASE_DIR/"
done
tar -czf "$CASE_DIR.tar.gz" "$CASE_DIR"

Key indicators to timestamp correlate:

  • Extension install time vs. event of compromise (EOC)
  • Settings sync token generation (potential credential replay)
  • Unexpected remote SSH targets in logs
  • Telemetry bursts just before data exfiltration

What Undercode Say

  • Non‑traditional artifacts win investigations. Most DFIR playbooks ignore application‑level logs like VSCode’s sharedprocess logs. Attackers don’t expect them to be examined, making them pristine sources of evidence.
  • Extensions are the new supply chain risk. The rise of malicious AI extensions and rat‑delivering plugins means every extension install must be treated as a potential breach vector. Inventory tools like cdxgen turn reactive cleanup into proactive monitoring.
  • Low cost, high impact. Adding three log paths to collection scripts takes minutes but can break cases open when other logs have been rotated or wiped. Defenders who ignore developer tooling leave a blind spot that adversaries actively exploit.

Prediction

Over the next 12‑18 months, we will see a surge in targeted attacks abusing VSCode’s remote development and settings sync features for persistence and lateral movement. Microsoft will likely introduce a security audit log for extensions—similar to O365 audit—but adoption will be slow. Meanwhile, open‑source DFIR tools will begin including VSCode log parsers as standard modules. The organizations that survive these attacks will be those that start collecting and analyzing developer environment telemetry today, not after the breach. Expect malicious extensions to evolve into polymorphic payloads that delete their own install traces from logs—but by then, defenders will have already moved to real‑time monitoring of extension hashes via SBOM feeds.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mauricefielenbach Threatintel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky