πŸ›‘οΈ Watchtower - Security Scanner for VS Code

June 11, 2026 Β· View on GitHub

Opening a repo can compromise your machine before you run a single line of code. Watchtower scans untrusted workspaces for malicious code, hidden Unicode threats, and supply chain attacks - automatically, locally, in seconds.

Watchtower detecting invisible Unicode code hidden in a JavaScript file

That sketchy GitHub repo. That interview take-home. That open source project you're about to contribute to. A malicious tasks.json, a hijacked settings.json, or invisible Unicode characters can execute code or poison your AI assistant the moment VS Code opens the folder. Watchtower checks it first.


πŸ” What Gets Scanned

CategoryWhat Watchtower Checks
πŸ‘οΈ Invisible UnicodeHidden code using Unicode tag steganography (U+E0000–U+E007F) - invisible to the human eye, readable by compilers and AI agents
πŸ“‹ Malicious Taskstasks.json commands that run shells, download payloads, or use encoding tricks (curl, base64, certutil)
βš™οΈ Settings HijackingCustom interpreter paths in settings.json pointing to attacker-controlled binaries
🧩 Compromised ExtensionsInstalled extensions cross-referenced against live threat intelligence, with auto-uninstall
πŸ€– AI Agent ExploitsDangerous auto-approval settings and prompt injection vectors in Copilot, Claude Code, Cursor, and other AI coding assistants
πŸš€ Launch ConfigurationsSuspicious pre-launch tasks hidden in .vscode/launch.json
🐳 Dev Container RisksSecurity misconfigurations in .devcontainer files
πŸ“¦ Build HooksMalicious binding.gyp and .npmrc configurations

…and more. Detections run automatically on workspace open and in real time as files change.

πŸš€ Getting Started

Install Watchtower, then follow this workflow for untrusted projects:

  1. Open the project - VS Code asks "Do you trust this folder?"
  2. Choose "No, I don't trust the authors" to stay in Restricted Mode
  3. Watchtower auto-scans on open - review findings in the sidebar
  4. Only click "Trust Folder" after verifying the results are clean

Why Restricted Mode first? If you trust a workspace before scanning, VS Code may already execute malicious tasks and scripts before the scan completes. Open untrusted, scan first, trust after.

Manual scan: Ctrl+Shift+P β†’ Watchtower: Scan Workspace

✨ Features

Real-time threat notifications

Watchtower watches sensitive files (AI agent instructions, VS Code configs) and alerts you the moment something changes behind your back.

Watchtower alerting that a sensitive file was edited in the background

Inline findings, right in your editor

Threats are flagged where they live - including hidden Unicode payloads decoded so you can see exactly what an attacker tried to smuggle in.

Detailed report of a malicious launch configuration

Full control panel

Enable or disable individual rules, tune per-project behavior, exclude folders, and export findings to JSON for CI or team review.

Watchtower control panel with per-rule configuration

🎯 Real-World Attack Context

Watchtower was built in response to documented, active attack campaigns targeting developers:

❓ FAQ

Is Watchtower an antivirus for VS Code? Not exactly - it's a workspace security scanner. It focuses on threats specific to developer environments: malicious repo configurations, invisible Unicode attacks, compromised extensions, and AI agent exploits that traditional antivirus tools don't understand.

Does Watchtower send my code anywhere? No. All scanning runs locally. The only network call is an anonymous extension-reputation check against threat intelligence, with no identifying data and no source code transmitted.

Will it slow down VS Code? No. Scans run asynchronously, skip binary files and common dependency folders (node_modules, .venv, …), and finish in seconds on typical projects.

Can I use it on every project, not just untrusted ones? Yes. By default Watchtower scans every project on startup and in real time. You can restrict it to untrusted workspaces only, or disable automatic scans, via watchtower.startupScans.

I found a false positive / a threat it missed. What do I do? Open an issue on GitHub - detection rules are actively maintained and community reports drive new rules.

πŸ” Privacy

  • Runs locally - no telemetry, no code is sent anywhere
  • Anonymous threat intel - extension checks use an external API with no identifying data
  • Open source - audit the code yourself

⭐ Support the Project

If Watchtower caught something - or just gave you peace of mind - it helps a lot if you:

🀝 Contributing

Found a threat pattern Watchtower should detect? Open an issue or PR on GitHub.

To get started with the codebase:

πŸ“ License

MIT - see LICENSE.md