What happened
VSCode IDE forks expose users to recommended extension attacks due to unsafe extension recommendation behavior. Researchers at Koi Security discovered that several AI-powered Visual Studio Code forks, including Cursor, Windsurf, Google Antigravity, and Trae, use hardcoded extension recommendations that reference namespaces not registered in the OpenVSX marketplace. Attackers could claim those namespaces and publish malicious extensions that appear as trusted recommendations inside the IDEs. While Microsoft’s official Visual Studio Code distribution is not affected, developers using these forks could unknowingly install malicious extensions capable of credential theft or code execution.
Who is affected
Developers and organizations using unofficial VSCode forks that rely on OpenVSX for extension distribution.
Why CISOs should care
Developer tooling represents a high-impact supply-chain attack surface that can expose source code and CI/CD pipelines.
3 practical actions
1. Standardize IDE usage: Require developers to use approved, official IDE distributions only.
2. Control extensions: Enforce allowlists and restrict installation of unverified extensions.
3. Monitor developer endpoints: Detect anomalous extension behavior or outbound connections.