Several popular AI-powered code editors that are based on Visual Studio Code have been found to suggest extensions that do not exist on the Open VSX registry. This security gap allows attackers to register those unclaimed names and distribute malicious software to unsuspecting developers who follow the editor's built-in recommendations.
Security researchers discovered that IDEs like Cursor, Windsurf, and Trae inherit extension recommendations from Microsoft's official marketplace, but many of these tools are missing from the Open VSX registry used by these forks. Because these namespaces were left unclaimed, anyone could register them and upload arbitrary code. When a developer opens a specific file type or has certain software installed, the IDE triggers a notification suggesting these non-existent extensions. If an attacker has claimed that name, a single click by the user results in the installation of a rogue package.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
This vulnerability presents a significant supply chain risk because developers naturally trust the suggestions provided by their development environment. Once a malicious extension is installed, it can gain access to sensitive information such as source code, login credentials, and API secrets. To demonstrate the danger, researchers uploaded a harmless placeholder for a PostgreSQL extension which was downloaded over 500 times by users simply because their IDE recommended it. This highlights how easily automated suggestions can be weaponized to bypass traditional security skepticism.
The list of affected extensions includes tools for Azure Pipelines, Heroku, and various database managers. While these editors provide a streamlined experience by bundling AI features, the underlying reliance on the VS Code ecosystem without mirroring its security registry created a massive blind spot. Attackers are increasingly moving toward these types of marketplace exploits because they target the tools developers use most frequently, turning a standard workflow into a potential point of infection.
In response to these findings, several major IDE providers like Cursor and Google have released patches to mitigate the risk. The Eclipse Foundation, which manages the Open VSX registry, has also taken steps to remove unofficial contributors from certain namespaces and implement stronger registry-level protections. These measures are designed to ensure that official-looking names cannot be easily hijacked by third parties looking to distribute malware.
Despite these fixes, the incident serves as a reminder of the evolving threats facing the software development lifecycle. Developers are urged to manually verify the publisher of any extension before approving an installation, even when the suggestion comes directly from their IDE. As AI-powered tools continue to grow in popularity, the security of the third-party ecosystems they rely on will remain a critical focus for both defenders and threat actors alike.
Source: VS Code Forks Recommend Missing Extensions Raising Open VSX Supply Chain Risk