Executive Summary
In February 2026, critical vulnerabilities were discovered in several widely-used Visual Studio Code (VSCode) extensions, including Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. These extensions, collectively downloaded over 128 million times, contained flaws that could be exploited to steal local files and execute remote code. The vulnerabilities were identified by Ox Security, which attempted disclosure since June 2025 without receiving responses from the maintainers. (bleepingcomputer.com)
This incident underscores the escalating risks associated with third-party development tools and the necessity for rigorous security assessments of IDE extensions. The widespread adoption of these vulnerable extensions highlights the potential for significant supply chain attacks targeting developers and organizations.
Why This Matters Now
The discovery of these vulnerabilities in popular VSCode extensions highlights the urgent need for developers and organizations to scrutinize third-party tools. As these extensions are integral to development workflows, their exploitation can lead to severe security breaches, emphasizing the importance of proactive security measures and regular updates.
Attack Path Analysis
An attacker exploits vulnerabilities in popular VSCode extensions to gain initial access, escalates privileges by executing arbitrary code, moves laterally within the network, establishes command and control channels, exfiltrates sensitive data, and potentially disrupts operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits vulnerabilities in VSCode extensions such as Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), and Markdown Preview Enhanced (CVE-2025-65717) to execute arbitrary code or steal local files.
Related CVEs
CVE-2025-65715
CVSS 8.8A vulnerability in the Code Runner VS Code extension allows remote code execution via manipulation of the extension's configuration file.
Affected Products:
Jun Han Code Runner – All versions
Exploit Status:
proof of conceptCVE-2025-65716
CVSS 8.8An issue in the Markdown Preview Enhanced VS Code extension allows attackers to execute arbitrary code via a crafted .md file.
Affected Products:
Yiyi Wang Markdown Preview Enhanced – v0.8.18
Exploit Status:
proof of conceptCVE-2025-65717
CVSS 9.1A vulnerability in the Live Server VS Code extension allows attackers to exfiltrate local files via user interaction with a crafted HTML page.
Affected Products:
Ritwick Dey Live Server – v5.7.9
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
IDE Extensions
IDE Tunneling
Exploitation for Defense Evasion
Valid Accounts
File and Directory Discovery
JavaScript
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable security patches.
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Asset Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerabilities in VSCode extensions expose software development environments to remote code execution, data exfiltration, and lateral movement attacks.
Information Technology/IT
VSCode extension flaws create significant enterprise risk through compromised developer workstations, enabling network pivoting and sensitive configuration data theft.
Financial Services
Developer tool vulnerabilities threaten API keys and configuration files containing financial data, creating compliance violations and unauthorized system access risks.
Health Care / Life Sciences
Compromised development environments could expose HIPAA-protected data through stolen configuration files and enable unauthorized access to healthcare application systems.
Sources
- Flaws in popular VSCode extensions expose developers to attackshttps://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/Verified
- CVE-2025-65715: Code Runner VS Code RCE Vulnerabilityhttps://www.ox.security/blog/cve-2025-65715-code-runner-vscode-rce/Verified
- CVE-2025-65716: Markdown Preview Enhanced VS Code Vulnerabilityhttps://www.ox.security/blog/cve-2025-65716-markdown-preview-enhanced-vscode-vulnerability/Verified
- CVE-2025-65717: Live Server VS Code Vulnerabilityhttps://www.ox.security/blog/cve-2025-65717-live-server-vscode-vulnerability/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially reducing the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in VSCode extensions may be constrained, limiting their capacity to execute arbitrary code or access local files.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges within the development environment may be constrained, reducing the risk of unauthorized access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across the network may be constrained, reducing the risk of unauthorized access to other systems and resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may be constrained, reducing the risk of persistent access to compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external servers may be constrained, reducing the risk of data loss.
The attacker's ability to disrupt operations by modifying or deleting critical files, deploying ransomware, or causing system downtime may be constrained, reducing the risk of operational impact.
Impact at a Glance
Affected Business Functions
- Software Development
- Code Review
- Continuous Integration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive source code, API keys, and developer credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Regularly audit and update VSCode extensions to ensure they are from trusted sources and free from known vulnerabilities.
- • Implement Zero Trust Segmentation to limit the potential for lateral movement within the network.
- • Utilize East-West Traffic Security controls to monitor and restrict internal traffic flows, detecting unauthorized movements.
- • Deploy Egress Security & Policy Enforcement mechanisms to prevent unauthorized data exfiltration.
- • Establish comprehensive Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
