Is Codeium Enterprise Updater safe?

Findings

Unverified Publisher

Flags items published by entities that haven’t gone through the publisher verification process of the marketplace. Lack of verification may indicate higher risk, as the publisher’s identity and trustworthiness are unconfirmed.

medium

Unmaintained Item

Flags items that are not maintained on the marketplace, suggesting concerns about the item's reputation and the publisher's reliability.

low

File Creation

Flags items that create or drop files onto the filesystem. This may include downloading content from remote sources or generating new files during execution. While file creation can be benign, it may also indicate attempts to persist malicious payloads, stage further actions, or evade detection by writing artifacts outside the monitored runtime.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This VSCode extension, Codeium Enterprise Updater, is designed for self-hosted enterprise customers to manage and update the Codeium Enterprise extension. Its primary purpose is to check for updates, download the latest VSIX package from a configured portal URL, and install it, ensuring that the enterprise extension stays up to date. It also provides commands to reset configuration and handle incompatibilities with the standard Codeium extension.

Key Behaviors and API Calls:

Configuration Management: Reads and updates VSCode configuration settings such as portal URLs and API server URLs.
Extension Management: Installs or uninstalls VSCode extensions using VSCode's command API.
Network Communication:
- Connects to a user-configured portal URL (e.g., /api/version, /api/api_server_url, /api/extension_base_url) to check for updates and download the latest extension package.
- Uses HTTPS requests, optionally respecting system proxy settings.
File System Activity:
- Downloads the VSIX file to a temporary file using the tmp module.
- Reads and deletes a file at ~/.codeium/portal_url.txt if present, to import a portal URL.
User Interaction:
- Prompts users for confirmation before uninstalling extensions or changing settings.
- Notifies users of update status and errors.

Notable Code Snippets:

Downloading and Installing VSIX:

const a = (await p.file()).path;
// ...
await async function(e, a, i) {
  const n = r.createWriteStream(i);
  (await e({ url: a, method: "GET", responseType: "stream" })).data.pipe(n);
  return new Promise(((e, a) => {
    n.on("finish", e), n.on("error", a)
  }))
}(s, i, a);
await o.commands.executeCommand(u.Command.INSTALL_EXTENSION, o.Uri.file(a));

Configuration Reset:

o.commands.registerCommand(m.Command.CODEIUM_ENTERPRISE_RESET, async () => {
  (0, p.setConfig)(p.Config.PORTAL_URL, void 0);
  (0, p.setConfig)(p.Config.API_SERVER_URL, void 0);
  (0, p.setConfig)(p.Config.EXTENSION_BASE_URL, void 0);
  o.extensions.getExtension(f) && await o.commands.executeCommand(m.Command.UNINSTALL_EXTENSION, f);
  await (0, l.confirmReload)("Codeium Enterprise reset");
});

Network Domains:

The extension only connects to domains explicitly configured by the user (the portal URL), and does not contain any hardcoded external domains or IPs.

Security Considerations:

All network activity is directed by user configuration.
No evidence of arbitrary code execution, shell command execution, or privilege escalation.
No registry, clipboard, or user account manipulation.
No persistence mechanisms beyond standard VSCode extension activation.

Summary: The extension is focused on managing and updating the Codeium Enterprise extension in a controlled, user-directed manner. All sensitive actions (network, file, extension management) are either user-initiated or based on explicit configuration.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS

External communication

Any identifiers we detected that may indicate external communication from the item's code

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

EXTERNAL COMMUNICATIONS ARE AVAILABLE FOR ENTERPRISE USERS

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

@types/axios

Version:

Unknown

@types/node

Version:

Unknown

@types/semver

Version:

Unknown

All dependencies are available for Enterprise users

Licenses & Compliance

Licenses

"Proprietary Software\n\nRedistribution and use in source and binary forms, with or without modification, is not permitted in any form or by any means.\n"...