π‘οΈ Watchtower - Security Scanner for VS Code
June 11, 2026 Β· View on GitHub
Opening a repo can compromise your machine before you run a single line of code. Watchtower scans untrusted workspaces for malicious code, hidden Unicode threats, and supply chain attacks - automatically, locally, in seconds.

That sketchy GitHub repo. That interview take-home. That open source project you're about to contribute to. A malicious tasks.json, a hijacked settings.json, or invisible Unicode characters can execute code or poison your AI assistant the moment VS Code opens the folder. Watchtower checks it first.
π What Gets Scanned
| Category | What Watchtower Checks |
|---|---|
| ποΈ Invisible Unicode | Hidden code using Unicode tag steganography (U+E0000βU+E007F) - invisible to the human eye, readable by compilers and AI agents |
| π Malicious Tasks | tasks.json commands that run shells, download payloads, or use encoding tricks (curl, base64, certutil) |
| βοΈ Settings Hijacking | Custom interpreter paths in settings.json pointing to attacker-controlled binaries |
| π§© Compromised Extensions | Installed extensions cross-referenced against live threat intelligence, with auto-uninstall |
| π€ AI Agent Exploits | Dangerous auto-approval settings and prompt injection vectors in Copilot, Claude Code, Cursor, and other AI coding assistants |
| π Launch Configurations | Suspicious pre-launch tasks hidden in .vscode/launch.json |
| π³ Dev Container Risks | Security misconfigurations in .devcontainer files |
| π¦ Build Hooks | Malicious binding.gyp and .npmrc configurations |
β¦and more. Detections run automatically on workspace open and in real time as files change.
π Getting Started
Install Watchtower, then follow this workflow for untrusted projects:
- Open the project - VS Code asks "Do you trust this folder?"
- Choose "No, I don't trust the authors" to stay in Restricted Mode
- Watchtower auto-scans on open - review findings in the sidebar
- Only click "Trust Folder" after verifying the results are clean
Why Restricted Mode first? If you trust a workspace before scanning, VS Code may already execute malicious tasks and scripts before the scan completes. Open untrusted, scan first, trust after.
Manual scan: Ctrl+Shift+P β Watchtower: Scan Workspace
β¨ Features
Real-time threat notifications
Watchtower watches sensitive files (AI agent instructions, VS Code configs) and alerts you the moment something changes behind your back.

Inline findings, right in your editor
Threats are flagged where they live - including hidden Unicode payloads decoded so you can see exactly what an attacker tried to smuggle in.

Full control panel
Enable or disable individual rules, tune per-project behavior, exclude folders, and export findings to JSON for CI or team review.

π― Real-World Attack Context
Watchtower was built in response to documented, active attack campaigns targeting developers:
- Invisible Unicode / Trojan Source - hidden code in open source repositories
- Contagious Interview (DPRK) - North Korean APT groups targeting developers via fake job interviews
- tasks.json infostealers - multi-stage malware via
.vscodeconfiguration files - Malicious AI skills - compromised coding assistant plugins
- IDEsaster - IDE-specific attack vectors targeting developer workflows
β FAQ
Is Watchtower an antivirus for VS Code? Not exactly - it's a workspace security scanner. It focuses on threats specific to developer environments: malicious repo configurations, invisible Unicode attacks, compromised extensions, and AI agent exploits that traditional antivirus tools don't understand.
Does Watchtower send my code anywhere? No. All scanning runs locally. The only network call is an anonymous extension-reputation check against threat intelligence, with no identifying data and no source code transmitted.
Will it slow down VS Code?
No. Scans run asynchronously, skip binary files and common dependency folders (node_modules, .venv, β¦), and finish in seconds on typical projects.
Can I use it on every project, not just untrusted ones?
Yes. By default Watchtower scans every project on startup and in real time. You can restrict it to untrusted workspaces only, or disable automatic scans, via watchtower.startupScans.
I found a false positive / a threat it missed. What do I do? Open an issue on GitHub - detection rules are actively maintained and community reports drive new rules.
π Privacy
- Runs locally - no telemetry, no code is sent anywhere
- Anonymous threat intel - extension checks use an external API with no identifying data
- Open source - audit the code yourself
β Support the Project
If Watchtower caught something - or just gave you peace of mind - it helps a lot if you:
- Leave a review on the Marketplace - ratings directly improve discoverability so more developers stay safe
- Star the repo on GitHub
- Share it with your team - security is a group effort
π€ Contributing
Found a threat pattern Watchtower should detect? Open an issue or PR on GitHub.
To get started with the codebase:
- Architecture overview - how the extension is organized and where to look
- Creating detections - how to add new analyzers and rules
π License
MIT - see LICENSE.md