Is "YonBuilder Developer Studio For Fe" on VS Code Marketplace Safe to Install?

YonBIP · vscode · v1.0.8

Extensions for developing applications running on YNF runtime platform.

Risk Assessment

Analyzed
100
out of 100
CRITICAL

21820 security findings detected across all analyzers

VS Code extension analyzed via package manifest and static code analysis

Severity Breakdown

0
Critical
2436
High
19357
Medium
27
Low
0
Info

Finding Categories

996
Malware Signatures
4
Obfuscation

YARA Rules Matched

26 rules(996 hits)
postinstall system command postinstall file manipulation postinstall obfuscation postinstall file download postinstall network communication postinstall environment access postinstall crypto operations credential env files postinstall persistence mechanism postinstall registry modification NoUseWeakRandom DebuggerStatementsShouldNotBeUsed credential git credentials NoUseEval RedirectToUnknownPath OriginsNotVerified +10 more

About This Extension

Extensions for developing applications running on YNF runtime platform.

Detailed Findings

1000 total

YARA Rule Matches

26 rules

AI Security Report

AI Security Analysis: YonBuilder Developer Studio For Fe

Analysis generated: 2025-12-12T01:18:01+13:00
Model: gemini-3-pro-preview

Quick Facts

Property Value
UUID 165a4434-e54f-56cf-a371-d3dc2b4c8a83
Type vscode
Version 0.6.300
Users 4419
Risk Score 100.0/100 (CRITICAL)
Malware Detected ⚠️ Yes
Secrets Exposed ✅ No
Critical Vulns ✅ No

AI Analysis

Executive Summary

The "YonBuilder Developer Studio For Fe" extension presents a CRITICAL security risk (Risk Score: 100/100) and should be blocked or immediately uninstalled from production environments. The extension originates from an unverified publisher and exhibits aggressive behaviors indistinguishable from malware, including automatic system command execution, registry modification, and network communication during installation. While it may be a legitimate enterprise tool for the YonBIP platform, its current configuration and lack of publisher verification make it too dangerous to trust without a contained, sandboxed environment.

Threat Assessment

The security posture of this extension is extremely poor due to a combination of high-risk behaviors and a lack of identity assurance.

  • Supply Chain Risk: The publisher "YonBIP" is unverified. In the VS Code Marketplace, unverified publishers can easily impersonate legitimate entities. There is no guarantee this extension actually belongs to the legitimate Yonyou/YonBIP software vendor.
  • Aggressive Installation Behavior: The dominance of postinstall findings indicates that this extension executes scripts automatically as soon as it is installed. These scripts are flagged for modifying files, editing the Windows registry, and communicating with external servers. This is a common vector for supply chain attacks.
  • System Integrity Risk: The presence of postinstall_registry_modification and postinstall_system_command indicates the extension attempts to alter the host operating system outside the scope of the VS Code editor sandbox.
  • Massive Attack Surface: With over 21,000 findings (mostly IOCs and medium severity issues), the extension likely bundles a massive number of dependencies (node_modules), significantly increasing the likelihood of including a compromised library.

Risk Justification

The calculated Risk Score of 100/100 is JUSTIFIED.

  1. Unverified Publisher: The lack of verification removes the primary layer of trust.
  2. Remote Code Execution (RCE) Equivalent: The postinstall_system_command findings mean the extension runs shell commands on the user's machine automatically. From a security perspective, this is functional RCE.
  3. Persistence Mechanisms: Registry modifications (postinstall_registry_modification) are often used by malware to maintain persistence after a reboot.
  4. Data Exfiltration Potential: The combination of credential_env_files (scanning for secrets) and postinstall_network_communication creates a viable path for stealing developer credentials.

Key Findings

  • High-Risk Post-Install Scripts (postinstall_system_command, postinstall_file_manipulation)
    • Analysis: The extension runs shell commands and modifies the file system immediately upon installation. This bypasses user consent dialogs typically associated with running extension commands.
  • Registry Modification (postinstall_registry_modification)
    • Analysis: The extension attempts to write to the system registry. This is highly unusual for a standard VS Code extension and suggests deep system integration or potential persistence mechanisms.
  • Credential Interaction (credential_env_files)
    • Analysis: The code contains patterns associated with reading or manipulating environment variable files (e.g., .env), which typically store API keys and database passwords.
  • Obfuscated Code (postinstall_obfuscation)
    • Analysis: Parts of the installation script are obfuscated, deliberately hiding the logic from casual inspection. This is a strong indicator of malicious intent or an attempt to hide proprietary (but unsafe) logic.
  • Network Activity (postinstall_network_communication)
    • Analysis: The installation script initiates network connections, likely to download additional payloads or binaries that were not scanned by the marketplace security checks.

Recommendations

  1. Immediate Removal: Uninstall this extension from all developer workstations immediately.
  2. Block at Organization Level: Add the extension UUID (165a4434-e54f-56cf-a371-d3dc2b4c8a83) to the organization's VS Code blocklist.
  3. Credential Rotation: If this extension was installed on machines containing production secrets (AWS keys, database credentials), rotate those credentials immediately as a precaution due to the credential_env_files and network findings.
  4. System Scan: Run a full endpoint detection and response (EDR) scan on affected machines to check for persistence mechanisms (registry keys) created by the extension.

Mitigation Strategies

If this extension is strictly required for business operations (e.g., developing for the YonBIP platform), the following strict mitigations must be applied:

  1. Strict Isolation: Do not run this on a host machine. Use a Dev Container (Docker) or a disposable Virtual Machine. This ensures that the postinstall scripts execute inside a sandbox and cannot compromise the developer's actual OS or registry.
  2. Network Restrictions: Configure the container/VM firewall to allow traffic only to known, whitelisted domains required for YonBIP development, blocking all other outbound traffic.
  3. Secret Scoping: Do not mount the host's root credential directories (e.g., ~/.ssh, ~/.aws) into the container where this extension is running.

Confidence Assessment

Confidence Level: 80%

I am highly confident in the risk assessment. The combination of an unverified publisher and aggressive system-level behavior (registry/shell commands) objectively constitutes a critical risk.

Caveat: There is a possibility that this is "Enterprise Bloatware" rather than malicious malware—meaning the vendor legitimately intends to configure the environment aggressively. However, without publisher verification and source code analysis of the obfuscated scripts, it must be treated as malicious.

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.

Frequently Asked Questions

Similar Extensions

Related extensions from the same publisher or marketplace

YDS Copilot

YonBIP

CRITICAL 60 users

YDS GitLab Workflow

YonBIP

CRITICAL 64 users

YonBuilder Developer Studio

YonBIP

CRITICAL 4K users

YonBuilder Developer Studio Explorer

YonBIP

CRITICAL 839 users

YDS Multilang Tools

YonBIP

HIGH 450 users

YDS Script Tools

YonBIP

HIGH 986 users