A critical supply chain vulnerability has been discovered affecting millions of developers using popular AI-powered IDEs, including Cursor, Windsurf, and Google Antigravity.
Security researchers revealed that these coding environments were actively recommending non-existent extensions, allowing potential attackers to upload malware that users would unthinkingly install.
The issue stems from how these tools were built. Cursor, Windsurf, and Antigravity are all “forks” (modified versions) of Microsoft’s VS Code.
However, due to licensing restrictions, they cannot use the official Microsoft Extension Marketplace. Instead, they rely on an open-source alternative called OpenVSX.
When these companies copied VS Code, they accidentally inherited a configuration file essentially a “shopping list” of recommended extensions.
These recommendations are triggered by specific actions, such as opening a generic file type or installing software such as PostgreSQL.
Many of the “official” Microsoft extensions listed in the config file were not available on the OpenVSX marketplace.
The Exploit
This created a massive security gap. Because the extension names were unclaimed on OpenVSX, anyone could register them. An attacker could upload a malicious file using one of these official-sounding names.
When a developer used the IDE, the system would see the gap and automatically prompt the user: “Recommendation: Install this extension.”
Trusting their IDE, the user would click install, effectively handing over full system access to the attacker.
This could lead to the theft of SSH keys, AWS credentials, and source code, without any phishing required, as reported by Koi AI.
To prove the danger, researchers from Koi claimed these vulnerable namespaces first. They uploaded harmless “placeholder” extensions.
The results were alarming: over 1,000 developers installed these empty files simply because their IDE recommended them.
- Cursor: Acknowledged and fixed the issue on December 1, 2025.
- Google: Initially rejected the report as “Won’t Fix,” but later accepted the vulnerability and rolled out fixes by January 1, 2026.
- Windsurf: Has reportedly not responded to the disclosure.
The Eclipse Foundation, which manages OpenVSX, has since worked to verify namespaces and remove unauthorized contributors to prevent further abuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.