Malicious Extension Supply Chain Risk in AI-Powered VS Code Forks
A critical security flaw has been identified in several popular AI-powered integrated development environments (IDEs) forked from Visual Studio Code, including Cursor, Windsurf, and Google Antigravity. These IDEs, which collectively serve millions of developers, were found to recommend extensions that do not exist in their supported OpenVSX marketplace. Because these extensions' namespaces were unclaimed, attackers could register them and upload malicious packages, which would then be presented as official recommendations to users. Security researchers demonstrated the risk by claiming these namespaces and uploading harmless placeholder extensions, which were still installed by over 1,000 developers, highlighting the high level of trust placed in automated extension suggestions.
The vulnerability arises from inherited configuration files that point to Microsoft's extension marketplace, which these forks cannot legally use, leading to reliance on OpenVSX. Both file-based and software-based recommendations can trigger the installation prompt for these non-existent extensions, such as when opening an azure-pipelines.yaml file or detecting PostgreSQL on a system. The incident underscores a significant supply chain risk, as malicious actors could exploit this gap to distribute harmful code, potentially resulting in the theft of credentials, secrets, or source code. Vendor responses varied, with some IDEs addressing the issue promptly after disclosure, while others were slower to react.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Vendors issue fixes after responsible disclosure
After disclosure, Cursor implemented a fix, while Google Antigravity later accepted the report after initially resisting or dismissing it and issued a partial fix. Reports also indicate Windsurf issued a fix in some accounts, though another source says it did not respond, reflecting an unclear response timeline.
Researchers coordinate with Eclipse Foundation to secure OpenVSX
Following the discovery, the researchers worked with the Eclipse Foundation to secure the exposed namespaces in OpenVSX. The registry also removed non-official contributors and added safeguards to reduce the risk of malicious extension uploads under trusted names.
More than 1,000 developers install the placeholder extensions
The proof-of-concept extensions were installed by over 1,000 developers, with one package reportedly exceeding 500 installs. This demonstrated the scale of trust in automated extension recommendations and the potential impact of a malicious campaign.
Researchers register placeholder extensions to demonstrate exploitability
To prove the supply-chain risk, researchers preemptively claimed missing extension namespaces and uploaded harmless placeholder packages to OpenVSX. The test showed that developers would install extensions simply because their IDEs recommended them.
Researchers discover AI IDEs recommend unclaimed OpenVSX extensions
Security researchers found that Cursor, Windsurf, Google Antigravity, and other VS Code forks were recommending extension identifiers that did not exist in the OpenVSX registry. Because the namespaces were unclaimed, attackers could have registered them and delivered malicious extensions through trusted IDE prompts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSX
thehackernews.com
Open sourceCursor, Windsurf & Google Antigravity IDEs Recommend Malicious App Extension to Developers
cybersecuritynews.com
Open sourceHow We Prevented Cursor, Windsurf & Google Antigravity from Recommending Malware
koi.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
VS Code Extensions Leak Sensitive Secrets, Exposing Users to Supply Chain Attacks
Researchers discovered that over 550 sensitive secrets were inadvertently leaked through more than 500 Visual Studio Code (VS Code) extensions available on both the VS Code and Open VSX marketplaces. These secrets included access and authorization tokens, credentials, API keys, encryption keys, and certificates, which are critical for securing access to various platforms and services. The investigation, conducted by Wiz Security, revealed that the leaked secrets spanned 67 categories, with the majority falling into three main groups: generative AI platforms, high-risk professional platforms such as AWS, GCP, Auth0, and GitHub, and databases like MongoDB and Postgres. Notably, more than 100 of the exposed secrets would have allowed attackers to update the affected extensions themselves. Because VS Code automatically updates extensions, this created a significant risk that attackers could deploy malicious updates to a large user base without user intervention. Wiz Security estimated that, had these vulnerabilities been exploited, malware could have been pushed to approximately 150,000 users in a single attack. The risk was not limited to code-heavy extensions; even theme extensions, which are often perceived as harmless, were found to be capable of introducing malware. The research highlighted that some internal extensions, such as those published by large corporations for internal use, were inadvertently made public, further increasing the attack surface. Vendor-specific extensions, commonly used for convenience, were identified as particularly attractive targets for attackers due to their potential for targeted exploitation. Microsoft was notified of the findings and worked with the researchers to address the issues and mitigate the risks. The incident underscores the importance of rigorous security practices in extension development and the need for continuous monitoring of third-party code in software supply chains. The exposure of secrets in widely used development tools like VS Code demonstrates how supply chain vulnerabilities can have far-reaching consequences. Organizations are advised to audit their use of extensions, restrict unnecessary permissions, and ensure that sensitive credentials are never hardcoded or exposed in public repositories. The case also serves as a warning about the risks of publishing internal tools to public marketplaces, as this can inadvertently expose sensitive infrastructure to external threats. The findings have prompted calls for improved vetting processes for extensions and greater awareness among developers about the risks of credential leakage. This incident is a stark reminder that even seemingly minor oversights in software development can lead to large-scale security incidents affecting tens of thousands of users. The potential for automated malware deployment through compromised extensions highlights the evolving nature of supply chain threats in the software ecosystem. Security researchers continue to monitor the situation and recommend best practices for extension security to prevent similar incidents in the future.
Mar 21, 2026
Security Risks and Vulnerabilities in AI-Powered Developer Tools and Extensions
Security researchers have identified significant risks in AI-powered developer tools and browser extensions, highlighting how new AI capabilities can introduce novel attack vectors. In the case of Anthropic's Claude Chrome extension, researchers at Zenity Labs demonstrated that the extension, which allows the AI to browse and interact with websites on behalf of users, can expose sensitive data and perform actions using the user's credentials. This creates opportunities for indirect prompt injection attacks, where malicious instructions embedded in web content can manipulate the AI to perform harmful actions such as deleting files or sending unauthorized messages. The extension's persistent login state and ability to access private services like Google Drive and Slack further amplify the risk, as attackers could leverage the AI's access for lateral movement within organizations. Similarly, security concerns have been raised about AI-powered integrated development environments (IDEs) forked from Microsoft VSCode, such as Cursor and Windsurf. These IDEs recommend extensions that do not exist in the OpenVSX registry, leaving unclaimed namespaces that threat actors could exploit to distribute malicious code. Researchers from Koi Security reported that some vendors responded by removing vulnerable recommendations, but others have yet to act. These findings underscore the urgent need for both vendors and users to reassess the security implications of integrating AI into development and productivity tools, as traditional security models may not adequately address the unique risks posed by AI-driven automation and extension ecosystems.
Mar 21, 2026
TigerJack Malicious VSCode and OpenVSX Extensions Steal Code and Mine Cryptocurrency
Security researchers have uncovered a coordinated campaign by the threat actor group TigerJack, which targets developers by publishing malicious extensions on both Microsoft's Visual Studio Code (VSCode) Marketplace and the OpenVSX registry. The campaign involves at least 11 different extensions distributed across multiple publisher accounts, with some extensions accumulating over 17,000 downloads before being removed from the official VSCode Marketplace. Despite removal from Microsoft's platform, these extensions remain active and available on the OpenVSX marketplace, which is used by alternative VSCode-compatible editors such as Cursor and Windsurf. The malicious extensions serve various purposes, including exfiltrating developers' source code, mining cryptocurrency using the host's resources, and maintaining persistent remote access. For example, the 'C++ Playground' extension registers a listener to capture and exfiltrate C++ source code in near real-time, while the 'HTTP Format' extension secretly runs a CoinIMP cryptominer in the background, consuming the host's processing power without restrictions. Some variants of the extensions are capable of fetching and executing remote JavaScript code, allowing TigerJack to dynamically update their payloads and potentially deploy additional threats such as credential stealers, ransomware, or API-harvesting scripts. The campaign demonstrates a high level of persistence, with TigerJack repeatedly re-uploading the same malicious code under new names and accounts after takedowns. The extensions are designed to appear as legitimate developer tools, increasing the likelihood of installation by unsuspecting users. The use of OpenVSX as a distribution channel poses a significant risk, as it is less regulated than Microsoft's marketplace and serves as the default for several popular IDEs. Researchers from Koi Security have been actively tracking the campaign and have highlighted the ongoing threat posed by these extensions, especially given their ability to maintain remote control and adapt their functionality without requiring updates. The campaign underscores the risks associated with third-party extension marketplaces and the importance of vetting and monitoring developer tools for malicious behavior. The technical sophistication of the extensions, particularly their ability to execute remote code and evade detection, raises concerns about long-term supply chain compromise within the developer ecosystem. Organizations and individual developers are advised to review installed extensions, monitor for suspicious activity, and prioritize security hygiene when sourcing tools from community-driven marketplaces. The continued presence of these extensions on OpenVSX, despite removal from the official VSCode Marketplace, highlights the challenges in fully eradicating such threats from the software supply chain. Security experts warn that the campaign is ongoing, with TigerJack actively seeking new ways to distribute their malicious payloads and compromise developer environments.
Mar 21, 2026