Angular VS Code extension flaw enabled zero-click code execution from malicious workspaces
Angular disclosed a high-severity arbitrary code execution flaw in the VS Code Angular Language Service extension (Angular.ng-template) that allowed a malicious repository to run code on a developer’s machine when the folder was opened in VS Code. The issue, tracked as CVE-2026-49241, affected versions prior to 21.2.4 and stemmed from the extension reading a workspace-configured typescript.tsdk path from .vscode/settings.json without honoring VS Code Workspace Trust or requiring user approval. That path was then passed to the background Node.js language server, which loaded tsserverlibrary.js from an attacker-controlled location, creating a zero-click path to host compromise and effectively bypassing VS Code Restricted Mode.
Angular fixed the vulnerability in version 21.2.4 through two hardening changes: blocking workspace-level TypeScript SDK loading in untrusted workspaces and requiring explicit confirmation before loading a workspace-level SDK in trusted ones, with approval stored locally in secure workspace state. A second change disables the language server and related command registration until workspace trust is granted, preventing silent execution in restricted environments. The vulnerability was reported by CodeMender from Google DeepMind and is listed with a CVSS 4.0 score of 8.7 as remotely exploitable.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-49241 entry is published
The vulnerability was published as CVE-2026-49241 with a high-severity remote code execution rating and a listed fix in version 21.2.4. The CVE entry describes the same unsafe handling of workspace-configured TypeScript SDK paths in the Angular Language Service VS Code extension.
Angular publishes advisory for zero-click RCE in language service
Angular disclosed a zero-click arbitrary code execution vulnerability affecting the Angular.ng-template VS Code extension before version 21.2.4. The advisory said a malicious repository could use a crafted .vscode/settings.json and rogue tsserverlibrary.js to trigger background code execution when opened, and credited CodeMender from Google DeepMind with reporting the issue.
Angular merges two security fixes for the VS Code extension
On May 22, 2026, Angular merged pull requests #68857 and #68886 into the main branch. The changes added confirmation for workspace TypeScript SDK loading and disabled the language server and related commands in untrusted workspaces until trust is granted.
Angular opens PR to confirm workspace TypeScript SDK loading
Angular opened pull request #68857 to harden the VS Code Angular Language Service extension by requiring explicit confirmation before loading a workspace-level TypeScript SDK path and by blocking such paths in untrusted workspaces.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-49241 - Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension
cvefeed.io
Open sourceInsecure Workspace Configuration and Dynamic Library Loading in VS Code Angular Language Service Extension · Advisory · angular/angular · GitHub
github.com
Open sourcefix(vscode-extension): disable language server in untrusted workspaces by atscott · Pull Request #68886 · angular/angular · GitHub
github.com
Open sourcefix(vscode-extension): prompt for confirmation before loading workspa… by atscott · Pull Request #68857 · angular/angular · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Angular VS Code Language Service Flaw Enables RCE via Malicious JSDoc Hover Links
A high-severity vulnerability in the **Angular Language Service** extension for Visual Studio Code, tracked as **`CVE-2026-50178`**, allows remote code execution when malicious JSDoc content is rendered inside hover tooltips. The flaw stems from the extension treating tooltip Markdown as trusted while the Angular Language Server forwards insufficiently sanitized JSDoc-derived content, including brackets, raw links, and control characters. An attacker can embed a crafted `command:` URI in a project file or a third-party npm dependency so that, when a developer hovers over the affected symbol and clicks the link, VS Code executes commands on the developer’s host machine. The issue affects **`Angular.ng-template`** versions prior to **`21.2.4`** and can bypass normal **Restricted Mode** and **Workspace Trust** protections in VS Code. GitHub’s advisory says the bug was discovered and reported by **CodeMender from Google DeepMind**, and the published **CVSS 4.0** base score is **8.7**. Users are advised to upgrade the extension to **version `21.2.4` or later** to remediate the vulnerability.
Jun 22, 2026
Malicious VS Code Extensions Delivering Trojan Payloads via Impersonation and Encrypted Loaders
Security researchers reported **malicious Visual Studio Code extensions** being used as a software supply-chain vector to compromise developer workstations. One campaign impersonated a viral AI coding assistant (“**ClawdBot**”) via a fake extension (“ClawdBot Agent”) that appeared legitimate and even functioned as an AI assistant by integrating real APIs (e.g., OpenAI/Anthropic/Google), while **silently dropping malware on Windows at VS Code startup**. The observed payload delivery used camouflage filenames such as `Lightshot.exe` (and references to `Lightshot.dll`) and an Electron-style bundle name `Code.exe`, indicating an effort to blend into common developer tooling and evolve the dropper over time. A separate finding described an **Open VSX** extension masquerading as a popular **Angular Language Service** for VS Code, which bundled legitimate dependencies (e.g., `@angular/language-service` and `typescript`) alongside a **malicious loader** that activates when users open HTML or TypeScript files (`onLanguage:html`, `onLanguage:typescript`). The loader decrypts an embedded payload using **AES-256-CBC** (Node.js `crypto`), with a hardcoded IV and a large hex-encoded ciphertext, then delays and executes the decrypted code—behavior consistent with staged malware delivery and potential worm-like propagation through widely installed editor extensions.
Mar 21, 2026
Malicious Extension Supply Chain Risk in AI-Powered VS Code Forks
A critical security flaw has been identified in several popular AI-powered integrated development environments (IDEs) forked from Visual Studio Code, including Cursor, Windsurf, and Google Antigravity. These IDEs, which collectively serve millions of developers, were found to recommend extensions that do not exist in their supported OpenVSX marketplace. Because these extensions' namespaces were unclaimed, attackers could register them and upload malicious packages, which would then be presented as official recommendations to users. Security researchers demonstrated the risk by claiming these namespaces and uploading harmless placeholder extensions, which were still installed by over 1,000 developers, highlighting the high level of trust placed in automated extension suggestions. The vulnerability arises from inherited configuration files that point to Microsoft's extension marketplace, which these forks cannot legally use, leading to reliance on OpenVSX. Both file-based and software-based recommendations can trigger the installation prompt for these non-existent extensions, such as when opening an `azure-pipelines.yaml` file or detecting PostgreSQL on a system. The incident underscores a significant supply chain risk, as malicious actors could exploit this gap to distribute harmful code, potentially resulting in the theft of credentials, secrets, or source code. Vendor responses varied, with some IDEs addressing the issue promptly after disclosure, while others were slower to react.
Mar 21, 2026