We were recently made aware of a Visual Studio extension posing as popular third-party extensions, that attempts to install malicious code on the devices it’s downloaded to. In light of these events, we wanted to share a few recommendations and best practices to keep yourself safe when you’re downloading any third-party tools, apps, plugins, or extensions.
If you choose to use browser extensions, here are a few recommended steps to ensure any extension or app you’re installing is legitimate:
Publisher verification: Look for a “Verified” badge next to publisher names (where relevant). Only download extensions through a known platform such as the Safari Extensions, Firefox Extensions, or the Google Chrome Store
Verify URLs: Ensure that the app or extension URLs match with official documentation or GitHub repositories of what you’re trying to install.
Check the creation/update time: Approach apps and extensions that were recently published with high download counts with caution.
Review permission requests: When an app or extension asks for a set of permissions, make sure that it matches the extension/app’s purpose, and do not provide or allow access to personal information, email address, or other data.
Check its reviews: Look for any reports of suspicious behavior; keep in mind some reviews may be fake, so it’s important to consider the other checks listed here. Be sure to also read the reviews to learn about issues after installation
Roblox Documentation: For official Roblox tools and features, you can verify Roblox’s support through our documentation. We ensure all our creator tools are documented there.
When in doubt, do not download the extension as it may compromise your Roblox account and expose you to other security risks.
A couple of final tips: regularly check all third party tools you’ve installed, and remove any that are no longer in use; even if not malicious, this can save you memory and performance!
Also, always use official marketplaces and be wary of any independent repositories.
I think it would be good if the wiki got a list of trusted and known vscode extensions like luau-lsp or Rojo, so people know for sure what they’re installing.
I tried different keywords in the search (“external tool”, “toolchain”, “rojo”) and it didn’t come up, and I had to manually navigate the nested structure of the Creator Hub.
Itd likely have to be next to a heavy warning if they do it at all, because even though they’re popular and trusted extensions, ROBLOX themselves still don’t own them, so endorsing them now and then something bad happening with them later down the line could lead to trouble.
Roblox already links directly to the official sources for various tools like Rojo, VSCode, Selene, StyLua, Luau-LSP, and even Wally in the link I shared. The resource is already there, but it is hard to find without digging through nested pages knowing what you’re looking for.
I do think there probably should be a caution to use at your own discretion as these are not officially maintained by Roblox, but the people behind these tools have hard earned trust and respect among developers familiar with them and their work.
The developers of these tools could have a security mishap where a malicious version gets published, but it would be out of Roblox’s control. It benefits the broader community to have a Roblox resource that directs developers to official sources if these tools are going to exist and be used by all kinds of developers, especially ones behind top experiences.
Not sure why this announcement focuses on browser extensions when this specific vulnerability was a VS Code extension. Although it’s important to talk about both, the announcement is unclear about what happened and which tools were affected. For context, a bad actor uploaded a Visual Studio Code (not to be confused with Visual Studio; they’re separate Microsoft products) extension masquerading as Rojo (the most popular Roblox/filesystem sync tool) and botted its install count so it appeared alongside/right below the real Rojo extension. The fake extension was removed yesterday, but people might’ve installed it while it was still available.
There is no such thing as a trusted extension that is created by a third party, because third parties can be compromised/corrupted/sold off. The only right thing you can do is teach people how to judge safety for themselves, and it will never be perfect. Endorsing any third party tool that is not bound by a contract is unwise.
That doesn’t make sense. How would one download an extension for Visual Studio through their web browser’s extension store?
I get what they’re trying to say, and it makes sense, but come on at least include the actual Visual Studio store if you’re going to mention browser extension stores.
—-
People seem to misunderstand my point. I’m not saying I disagree with this post, quite the contrary.
I know, I never said they weren’t. I guess I did word that weirdly, though. My point is the way they worded it made it sound like that’s what they meant—that you can download VS extensions from the Chrome webstore.
Honestly this is why i just disable extensions that i dont need for what i am doing, i only enable rojo for example when im actually work with it (rarely).
Anyway make sure you didn’t have the fake rojo (only if you installed it around april 4th - april 11th), if you did you might wanna run a virus scan (well you should)