Despite All My VS Code, I’m Still Just a RAT in a Cage

Written By Connor Peoples

When collaboration tools turn into backdoors…

Visual Studio Code (VS Code) transformed the developer workspace almost overnight, replacing many competitors in just a few years.

According to Stack Overflow’s 2023 survey, it was the #1 development tool by a wide margin, with over 73% of respondents reporting that they use it regularly.

If your organization does any software development at all, VS Code is already part of your environment.

Why VS Code Dominates

VS Code’s success comes from its extensibility and its association with its older sibling, Visual Studio.

The platform provides a vast library of verified extensions from Microsoft and third-party developers, all available through a built-in marketplace for quick installation.

Developers also benefit from its integrated terminal and console access, which works seamlessly right out of the box.

The result is a single, unified workspace that handles writing, debugging, version control, and collaboration all in one window.

Sharing is Caring

One of VS Code’s built-in features is Live Share, a real-time collaboration tool that lets developers share their workspace with others.

It is extremely useful for pair programming, mentoring, and classroom environments. Setting it up is straightforward for both the presenter and the collaborator.

Typical flow:

  1. The presenter opens VS Code.

  2. If Live Share is not installed, it can be added with one click from the Extensions view.

  3. The presenter selects “Live Share” from the status bar.

  4. The presenter chooses an authentication source (GitHub or Entra ID).

  5. The session begins, and a shareable link is generated, for example:

    https://prod.liveshare.vsengsaas.visualstudio.com/join?85DDF0A455D562F86D6FXXXXXXXXXXX

  6. The collaborator opens the link in a browser.

  7. The browser redirects to VS Code and joins the live session.

Within seconds, the remote participant can see the shared files and terminal from the presenter’s environment.

Attendee Rights

By default, a Live Share attendee has the following capabilities:

  1. File access: They can use the VS Code Explorer to create, edit, and delete files or folders within the shared workspace.

  2. Command execution: They can issue commands in any open terminal session, using the permissions of the presenting user.

  3. File transfer: They can upload and download files through the session’s bridged connection.

From a security perspective, this means that a remote participant can:

  • Write arbitrary code or files to the system.

  • Execute those files directly from the terminal.

  • Exfiltrate any data accessible within the shared workspace.

Locking It Down

Presenter Controls

Presenters can start Live Share sessions in read-only mode for code, terminal access, or both.

Always select the most restrictive permissions that still allow collaboration. Each session should be configured to minimize the risk of unwanted actions or malicious use.

Network Controls

To prevent Live Share connections at the network layer, block the following domain:

https://*.liveshare.vsengsaas.visualstudio.com/

Blocking this domain stops cloud-based Live Share sessions.

However, local sharing operates over TCP and can still function independently. Those sessions use configurable ports and hostnames.

Endpoint Controls

At the endpoint level, administrators can detect or remove the Live Share extension automatically.

By default, VS Code installs extensions in the user profile directory for all major operating systems:

~/.vscode/extensions

The Live Share extension folder matches the pattern:

ms-vsliveshare.vsliveshare-*

Create rules in your endpoint protection tools to monitor, alert on, or delete this extension as needed.

Identity Provider Controls

If your organization uses Entra ID, you can verify who has accessed the Visual Studio Code endpoint through sign-in logs.

Steps:

  1. Log in to portal.azure.com.

  2. Navigate to Users.

  3. Open Sign-in Logs.

  4. Adjust the filter to search for the application “Visual Studio Code.”

This helps identify Live Share activity and confirm whether specific accounts have initiated or joined sessions.

In Closing

VS Code is a powerful, flexible tool that has improved developer productivity across the world.

However, its wide-open extension ecosystem can introduce risk if left unmanaged. Features like Live Share provide tremendous collaboration value but also create potential backdoors for unauthorized access.

Because Live Share currently lacks detailed logging and fine-grained attendee restrictions, organizations should treat it as a monitored capability.

Review its usage regularly, enforce least privilege where possible, and ensure your network, endpoint, and identity controls work together to prevent unapproved sharing.

Connor Peoples
Previous

Hello, Error!
Next

The Art (and Chaos) of Conditional Access