Beware: VSCode Forks Risk “Recommended Extension” Attacks
▼ Summary
– AI-powered IDEs forked from VSCode recommend extensions that point to Microsoft’s marketplace, but these extensions are sometimes missing from the open-source OpenVSX registry they must use.
– This creates a security gap where threat actors can claim the unclaimed extension namespaces and upload malicious software.
– Security researchers reported the issue, leading Cursor and Google to fix their IDEs, while Windsurf had not responded.
– To prevent attacks, the researchers claimed the vulnerable namespaces themselves by uploading placeholder extensions and coordinated with the OpenVSX operator on safeguards.
– There is no evidence of prior malicious exploitation, and users are advised to manually verify extension recommendations on OpenVSX.
A significant security vulnerability has been identified in several popular AI-assisted integrated development environments (IDEs) that are forked from Microsoft’s Visual Studio Code. These tools, including Cursor, Windsurf, and Google Antigravity, rely on the open-source OpenVSX registry for extensions due to licensing restrictions that prevent them from accessing Microsoft’s official Visual Studio Marketplace. The core problem stems from inherited, hardcoded lists of “recommended extensions” that still point to the Microsoft marketplace. When these recommended extensions do not exist on OpenVSX, their publisher namespaces remain unclaimed, creating a dangerous opportunity for threat actors.
The recommendation system works in two primary ways. It can be file-based, such as suggesting an Azure Pipelines extension when a developer opens a specific configuration file. Alternatively, it can be software-based, like recommending a PostgreSQL extension upon detecting that software on the developer’s system. Because these IDEs cannot connect to Microsoft’s store, they attempt to pull these suggestions from OpenVSX. If the extension isn’t there, the IDE may still display the recommendation, leading users to search for it manually. This gap allows a malicious actor to claim the vacant namespace on OpenVSX and upload a harmful extension, exploiting the inherent trust users place in these automated suggestions.
Security researchers from the firm Koi discovered this supply-chain risk and reported it to the affected IDE developers. The response has varied, with Cursor addressing the vulnerability by December 1st, 2025. Google took action by removing thirteen extension recommendations from its Antigravity IDE in late December and marking the issue as resolved in early January. As of the latest reports, Windsurf has not yet responded to the disclosure.
To proactively prevent exploitation, Koi researchers claimed several high-risk namespaces themselves. These include extensions for PostgreSQL, Azure Pipelines, Azure tools, and others. They uploaded simple, non-functional placeholder extensions to these slots. This action effectively blocks a potential attacker from using those specific names to distribute malware through the recommendation system. The researchers also collaborated with the Eclipse Foundation, which operates the OpenVSX registry, to audit remaining namespaces, remove unofficial contributors, and implement broader protective measures at the registry level.
There is currently no evidence that this security flaw was exploited by malicious parties before the researchers’ intervention. However, the incident highlights a critical weakness in forked software ecosystems where inherited functionalities may not align with new dependencies. For developers using these AI-powered IDEs, vigilance is essential. It is strongly advised to manually verify any recommended extension by checking its source directly in the OpenVSX registry and confirming it originates from a legitimate and trusted publisher, rather than blindly accepting the IDE’s suggestion.
(Source: Bleeping Computer)
