Visual Studio Code (VS Code) has become the dominant development environment worldwide, used by the majority of software professionals. Its success largely stems from its highly extensible architecture, supported by an extensive marketplace hosting more than 100,000 extensions that allow developers to tailor their workflows. However, recent research and industry investigations have revealed that these extensions can be exploited to execute arbitrary code, exfiltrate data, or compromise build environments.

Despite growing attention to these technical threats, little is known about how such risks are perceived and managed within organizational settings, where developer autonomy intersects with organizational governance and policy. Using a qualitative approach, interviews were conducted with 21 professionals from 19 companies across five countries to explore how developers perceive and manage the security of VS Code extensions in organizational contexts.

The findings reveal that extension management practices are largely convenience-driven, with developers relying on surface-level Marketplace signals, such as publisher verification, ratings, and download counts, that can easily be manipulated, as shown in prior research. These cues provide reassurance but not assurance, leading developers to conflate popularity or verified status with safety. In most organizations, extension governance is minimal or informal, resulting in fragmented practices where developers must independently assess security risks despite operating in managed environments.

The study concludes that secure extension use in VS Code is not merely a technical issue but a socio-technical and governance challenge that requires coordination across multiple levels. At the marketplace level, clearer communication of verification criteria, greater visibility of permissions or a modified permission model, and stronger mechanisms for signaling risk are needed. At the organizational level, structured allowlist policies, internal vetting workflows, and targeted awareness programs can bridge the gap between platform safeguards and developer behavior. At the developer level, improved understanding and interpretation of trust cues should be supported, not assumed, through organizational policy and education. Together, these measures align platform design, organizational governance, and developer practice toward a shared framework of accountability and safer extension use within professional environments.