Microsoft's Visual Studio Code Snap package fails to delete files on Linux systems, creating a security vulnerability that leaves sensitive data exposed. The bug causes deleted files to remain on disk while appearing removed from the interface, a scenario security researchers call "phantom deletion."
Linux users discovered the issue when attempting to free up disk space or during security audits. Some found old API keys and credentials they believed had been removed months earlier, requiring immediate credential rotation.
The problem affects files deleted through VS Code's graphical interface when installed via Snap, Canonical's containerized package format.
The root cause traces to an October 2024 code change that creates a local Trash folder for each VS Code version instead of using the system trash. According to a Microsoft engineer, the change sets the XDG_DATA_HOME environment variable incorrectly, creating what developers describe as a "bogus Trash that's not the system one."
This local trash folder becomes unmanageable and inflates over time, carried from update to update. Snap also retains older VS Code versions after updates, multiplying the number of local trash folders. Emptying the system trash has no effect on these isolated containers.
"I was running out of space, I pulled open Ubuntu's 'Disk Usage' and was pretty confused by how much space the VS Code snap was using," Hayes said.
Web developer Chris Hayes found 44 GB of files in Snap's local trash folder dating back two years. Another user reported nearly 200 GB of data they thought had been deleted.
The bug was first reported in November 2024 and remains unfixed as of February 2026. Neither Microsoft nor Snap provides tools to manage these local trash folders, though command-line access offers workarounds. VS Code's GitHub repository shows over 12,000 open issues, potentially explaining why this bug has lingered.
Security implications extend beyond disk space concerns. Developers working with sensitive credentials face exposure risks when deleted files persist. The phantom deletion creates false confidence that sensitive data has been removed from systems.
Alternative installation methods avoid the problem. Users can install VS Code via traditional .deb or .rpm packages, use the Flatpak version from Flathub, or run from a .tar.gz download. VSCodium, a popular recompiled version of VS Code, also exhibits the same behavior when installed via Snap.
The default VS Code installation for Linux uses .deb packages rather than Snap, but Ubuntu's App Store defaults to Snap packages. This creates confusion for users who may not realize which package format they've installed.
"Running out of space on Linux can do some weird stuff, since Linux is so dependent on files for running everything," Hayes noted.
Low disk space from accumulating trash files can slow systems, editors, and compilers, potentially causing crashes or failed writes.
Microsoft has not indicated when a fix might arrive.
