The developer tools used by millions of programmers worldwide have become a prime target for attackers seeking to compromise entire organizations.
Visual Studio Code and AI-powered IDEs like Cursor AI, when combined with their extension marketplaces, present a critical vulnerability in the software supply chain.
Unlike regular users, developers hold access to sensitive credentials, source code repositories, and production systems, making them valuable targets for sophisticated threat actors.
A new security concern has surfaced, showing that publishing malicious extensions to these marketplaces is alarmingly straightforward.
The attack vector exploits the trust developers place in their daily development environments, bypassing multiple layers of protection that were designed to keep these platforms safe.
By disguising harmful code as legitimate tools, attackers can gain persistent access to developer machines without triggering typical security alarms.
A cybersecurity engineer, Mazin Ahmed, identified and documented how attackers successfully publish backdoors through these extension marketplaces.
.webp "Hackers Compromising Developers with Malicious VS Code, Cursor AI Extensions 3")
Ahmed’s research demonstrated that a malicious Python linter extension called Piithon-linter, purposefully misspelled to avoid immediate detection, passed through Microsoft’s security screening and became available on the VS Code Marketplace.
Environment variables exfiltration
This capability enabled attackers to exfiltrate environment variables containing sensitive credentials and deploy remote access tools upon installation.
The most concerning aspect of this attack involves how the malware maintains persistence and evades detection systems.
When VS Code launches, the malicious extension automatically executes without requiring user interaction, thanks to activation events specified in the extension’s configuration.
The extension’s code first scans for running antivirus or endpoint detection solutions. If security software is discovered, the malware halts execution.
However, if the system appears safe, the extension proceeds to harvest environment variables and deploy a Merlin command-and-control agent that provides attackers with complete remote access.
The extension can even determine the operating system at runtime, allowing it to execute the appropriate payload for Windows, macOS, or Linux systems. The research exposed fundamental gaps in security screening.
.webp "Hackers Compromising Developers with Malicious VS Code, Cursor AI Extensions 4")
Microsoft’s sandbox analysis, which supposedly tests extensions in a controlled environment, was bypassed through geofencing techniques that detected when code ran in Microsoft’s United States-based testing infrastructure.
OpenVSX, the marketplace powering Cursor AI and other AI-powered IDEs, performs essentially no security verification whatsoever, relying only on user reporting and agreement terms.
These discoveries highlight a troubling reality: the next major supply chain compromise may originate from the editors and developers whom they trust and use daily.
Without enhanced security controls and verification mechanisms, these vital development tools remain dangerously exposed to coordinated attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
