Popular artificial intelligence (AI)-powered Microsoft Visual Studio Code (VS Code) forks such as Cursor, Windsurf, Google Antigravity, and Trae have been found to recommend extensions that are non-existent in the Open VSX registry, potentially opening the door to supply chain risks when bad actors publish malicious packages under those names.
The problem, according to Koi, is that these integrated development environments (IDEs) inherit the list of officially recommended extensions from Microsoft’s extensions marketplace. These extensions don’t exist in Open VSX.
The VS Code extension recommendations can take two different forms: file-based, which are displayed as toast notifications when users open a file in specific formats, or software-based, which are suggested when certain programs are already installed on the host.
“The problem: these recommended extensions didn’t exist on Open VSX,” Koi security researcher Oren Yomtov said. “The namespaces were unclaimed. Anyone could register them and upload whatever they wanted.”
In other words, an attacker could weaponize the absence of these VS Code extensions and the fact that the AI-powered IDEs are VS Code forks to upload a malicious extension to the Open VSX registry, such as ms-ossdata.vscode-postgresql.
As a result, any time a developer with PostgreSQL installed opens one of the aforementioned IDEs and sees the message “Recommended: PostgreSQL extension,” a trivial install action is enough to result in the deployment of the rogue extension on their system instead.
This simple act of trust can have severe consequences, potentially leading to the theft of sensitive data, including credentials, secrets, and source code. Koi said its placeholder PostgreSQL extension attracted no less than 500 installs, indicating that developers are downloading it simply because the IDE suggested it as a recommendation.
The names of some of the extensions that have been claimed by Koi with a placeholder are listed below –
- ms-ossdata.vscode-postgresql
- ms-azure-devops.azure-pipelines
- msazurermtools.azurerm-vscode-tools
- usqlextpublisher.usql-vscode-ext
- cake-build.cake-vscode
- pkosta2005.heroku-command
In response to responsible disclosure, Cursor and Google have rolled out fixes to address the issue. The Eclipse Foundation, which oversees Open VSX, has since removed non-official contributors and enforced broader registry-level safeguards.
With threat actors increasingly focusing on exploiting the security gaps in extension marketplaces and open-source repositories, it’s essential that developers exercise caution prior to downloading any packages or approving installs by verifying they come from a trusted publisher.