You don't provide any more information, and are promoting your own site here without even saying so despite your name being on the About page. This felt like clickbait.

We're excited to announce ExtensionTotal, a free community tool we've built in the past month, designed to assess and mitigate the risks of VSCode extensions. Inspired by AppTotal, VirusTotal, and others, ExtensionTotal dives deep into extensions to assess risk, identify vulnerabilities, check publisher backgrounds, find vulnerable secrets, and provide AI-driven code insights.

ExtensionTotal: -- Continuously analyses VSCode marketplace extensions -- Provides comprehensive risk reports with detailed findings -- An API to allow you to assess all extensions in your organization -- A VSCode extension for continuous risk monitoring in your local machine

Check out ExtensionTotal and help make the developer ecosystem safer! https://extensiontotal.com

Our letter to Microsoft.

During our research of Visual Studio Code extensions in the past few weeks we've found an alarming amount of security design flaws that deserve the security community’s attention. The lack of a permission model, automatic silent updates, and unrestricted capabilities are just a few issues that poses a direct threat to organizations who use Visual Studio Code.

Read our letter to Microsoft with the design flaws we've found.

In 30 minutes, we developed and published a Visual Studio Code extension that changed IDE colors while leaking source code to a remote server. This experiment exposed massive security issues in one of the most popular IDEs in the world with tens of millions of users.

Here’s how we did it:

1. Built the extension: Created a copycat of the popular “Dracula Official” theme. 2. Established credibility: With $5 and leveraging amazing loopholes in the VSCode Marketplace. 3. Inserted “malicious” code: Each time a document was opened, a beacon was sent to our server. 4. Published and observed: Within minutes, we had our first victim. A day later, we were trending with over 1000 installs. Eventually, we infiltrated several multi-billion-dollar companies, a huge cybersecurity company, and even a country’s justice court (responsible disclosure was completed).

The ease of this process and the rapid adoption by unsuspecting developers highlights a critical security threat for organizations. If we could do this in 30 minutes, imagine what a motivated threat actor could achieve.

This experiment was a wake-up call, revealing the high-risk potential of VSCode extensions. Our full story and findings are detailed in our latest blog post. Read about our journey, the eye-opening statistics, and the urgent need for better security measures by Microsoft.

Read the full research post and stay tuned for our follow-up blog posts exposing malicious extensions and how to protect your development environment.

---

Note: No one was harmed during this experiment, we’ve contacted all affected companies to remediate the issue.

The Conditioned object seems like it should be a part of Guava/Java 8 :)

OP:

FYI This was just a fun thing to experiment with, never claimed this would be useful or is the right thing to use :)