A dataset of malicious VS Code extensions removed by Microsoft, with VSIX packages and extension metadata.
VS Code's extension ecosystem has become a target for software supply chain attacks. No publicly available, continuously updated dataset existed for malicious VS Code extensions — so we built VSMEx. It tracks Microsoft's official malicious and removed extension lists and captures VSIX packages before they disappear from the marketplace.
To be presented at CODASPY 2026 — June 23–25, Frankfurt am Main, Germany.
The VSIX packages and full metadata are kept in a separate private repository
(kalachkar/vsmex-dataset) and are not publicly available.
Access is gated to prevent misuse — these are real malicious packages.
To request access, email us from an institutional address stating your name, institution, and intended use. We only respond to institutional email addresses.
If you use VSMEx in your research, please cite:
TBD
We thank Marc Ohm for the Backstabbers' Knife Collection, which provided initial malicious VS Code extension samples used in this dataset, and Karlo Zanki from ReversingLabs for sharing additional samples.
Sourced from Microsoft's malicious extensions and removed packages lists
| Extension | Classification | Source | Removed | Captured | Versions | Capture date |
|---|