VS Code Forks Highlight Open VSX Supply Chain Vulnerability (2026)
Executive Summary
In early 2026, a supply chain vulnerability involving popular AI-powered Visual Studio Code (VS Code) forks—such as Cursor, Windsurf, Google Antigravity, and Trae—was discovered. These IDEs recommended certain extensions that did not exist in the Open VSX registry, leaving the extension namespaces unclaimed and thus open to exploitation by malicious actors. Attackers could upload rogue extensions under these names, which unsuspecting developers would install due to these recommendations. Koi researchers demonstrated the risk by publishing a placeholder PostgreSQL extension on Open VSX, garnering over 500 installs, highlighting the real-world likelihood of sensitive data exposure and credential theft before the issue was mitigated by the IDE vendors and Open VSX registry maintainers.
This incident underscores the persistent risk of supply chain attacks in open-source developer tooling, as adversaries increasingly exploit gaps in public code marketplaces. With threat actors targeting trusted workflows and dependency chains, organizations must elevate their scrutiny and controls around open-source software consumption.
Why This Matters Now
The incident exposes a critical and timely vulnerability in the ecosystem of open-source extension marketplaces, illustrating how rapidly unclaimed namespaces can be weaponized. As AI-powered development and open-source tooling adoption accelerate, the risk of supply chain compromise through seemingly trusted recommendations becomes a pressing security and compliance issue.
Attack Path Analysis
Attackers leveraged unclaimed namespaces in the Open VSX registry to publish malicious VS Code extensions, exploiting the AI-powered IDEs’ flawed extension recommendations to achieve initial compromise on developer environments. Once installed, the rogue extension could abuse local privileges or prompt users for elevated access, facilitating privilege escalation. The extension could then access adjacent resources within the developer environment or connected cloud services using available tokens for lateral movement. To maintain communication, the malware would attempt to establish command and control channels over outbound traffic. Sensitive data such as credentials, secrets, or source code could then be exfiltrated. Ultimately, the compromise could result in theft of intellectual property, downstream supply chain compromise, or implanting persistent threats.
Kill Chain Progression
Initial Compromise
Description
Attackers registered malicious extensions under unclaimed, recommended namespaces in the Open VSX registry; AI-powered IDEs then prompted users to install these, leading to execution on developer hosts.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in Open VSX Registry's automated publishing system allowed unauthorized extension uploads, potentially leading to supply chain attacks.
Affected Products:
Eclipse Foundation Open VSX Registry – prior to June 24, 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
This mapping selects key MITRE ATT&CK techniques for SEO/filtering; it may be expanded with full STIX/TAXII enrichment in a production release.
Supply Chain Compromise
Command and Scripting Interpreter
Valid Accounts
Trusted Relationship
User Execution
Modify Authentication Process
Data from Local System
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protecting Systems and Networks from Software Vulnerabilities
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-party Risk Management
Control ID: Article 21
NIS2 Directive – Supply Chain Security and Vendor Management
Control ID: Article 21.2(d)
CISA Zero Trust Maturity Model 2.0 – Inventory and Control of Software Assets
Control ID: Asset Management (AA-2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
VS Code forks create supply chain risks through malicious extension recommendations, directly threatening development environments and source code security in software engineering workflows.
Information Technology/IT
IT organizations face credential theft and system compromise through weaponized IDE extensions, requiring enhanced zero trust controls and egress security enforcement.
Financial Services
Development teams using AI-powered IDEs risk exposing sensitive financial data and credentials through malicious extensions, violating PCI compliance requirements and data protection.
Health Care / Life Sciences
Healthcare developers face HIPAA violations and patient data exposure through compromised VS Code extensions infiltrating development environments and stealing sensitive healthcare credentials.
Sources
- VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSXhttps://thehackernews.com/2026/01/vs-code-forks-recommend-missing.htmlVerified
- Open VSX security update - October 2025https://newsroom.eclipse.org/tags/open-vsxVerified
- VSCode IDE forks expose users to 'recommended extension' attackshttps://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress security controls, and continuous threat detection would have restricted malicious extension activities, blocked unauthorized outbound traffic, and provided visibility to anomalous behaviors—drastically limiting attacker movement and data theft throughout the attack lifecycle.
Control: Multicloud Visibility & Control
Mitigation: Provides centralized visibility into all application-to-network flows, flagging anomalous extension install patterns.
Control: Zero Trust Segmentation
Mitigation: Limits extension and host communication strictly to authorized services, reducing exploitation scope.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload and service-to-service movement.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound traffic and known C2 patterns from leaving the environment.
Control: Cloud Firewall (ACF) + Encrypted Traffic (HPE)
Mitigation: Detects and blocks suspicious data exfiltration attempts; ensures sensitive data remains protected in transit.
Rapidly detects and surfaces anomalous behaviors for prompt incident response.
Impact at a Glance
Affected Business Functions
- Software Development
- DevOps
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive data including credentials, secrets, and source code due to installation of malicious extensions.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to confine application and extension communication strictly to trusted services.
- • Implement centralized egress filtering and policy enforcement to block unauthorized external connections, including those from IDE plugins.
- • Deploy multicloud visibility tools to monitor, alert, and baseline all extension installations and network behavior within developer environments.
- • Apply strong internal east-west security controls to prevent malware from moving laterally or accessing sensitive cloud or on-premise resources.
- • Integrate real-time anomaly detection and automated response to rapidly surface and contain suspicious extension activity or potential data exfiltration.
