Security Vulnerability in AI-Assisted IDEs: Malicious Extension Risk
This article details a significant security vulnerability affecting AI-assisted Integrated Progress Environments (IDEs) like Cursor, Windsurf, Google Antigravity, and Trae. These IDEs, while based on VSCode, utilize the OpenVSX marketplace for extensions due to licensing restrictions with the official microsoft Visual studio Marketplace. The core issue is that these IDEs recommend extensions that are not available in OpenVSX,leaving their namespaces open for malicious actors to exploit.
Here’s a breakdown of the problem:
* Forked from VSCode: These IDEs are built upon the VSCode foundation but cannot directly use the official VSCode extension store.
* OpenVSX Dependency: Thay rely on OpenVSX, an open-source alternative, for extensions.
* Inherited Recommendations: the IDEs still contain hardcoded recommendations for extensions originally intended for the Microsoft Marketplace.
* Unclaimed Namespaces: Because these recommended extensions aren’t on OpenVSX, their corresponding publisher namespaces remain unclaimed.
* Malicious Potential: Threat actors can register these unclaimed namespaces and upload malicious extensions, leveraging the IDEs’ built-in suggestion system to trick users into installing them.
* Recommendation Triggers: Recommendations are triggered in two ways:
* File-based: Opening specific files (e.g., azure-pipelines.yaml) prompts a recommendation for a related extension.
* Software-based: Detecting installed software (e.g., PostgreSQL) triggers a recommendation for a corresponding extension.
Koi Security’s Findings & Response:
* Discovery: Researchers at Koi Security identified this vulnerability.
* Reporting: They reported the issue to Google,Windsurf,and Cursor in late November 2025.
* Google’s Action: Google removed 13 extension recommendations from its IDE on December 26th.
* Lack of response: Cursor and Windsurf have not yet responded to the report.
* Proactive Mitigation: Koi researchers proactively claimed the namespaces of vulnerable extensions to prevent exploitation, including:
* ms-ossdata.vscode-postgresql
* ms-a (the list is incomplete in the provided text)
In essence, the vulnerability stems from a disconnect between the IDEs’ inherited recommendations and the reality of the OpenVSX ecosystem, creating a pathway for attackers to distribute malware through trusted recommendation channels.
This is a serious issue that highlights the complexities of maintaining security in forked software projects and the importance of carefully vetting extension recommendations, especially when relying on alternative marketplaces.
