This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.
VSCode IDE Forks Expose Software Supply Chain Risks via Recommended Extensions
Executive Summary
In late 2025, researchers at Koi Security identified a vulnerability across several AI-powered IDEs forked from Microsoft Visual Studio Code—including Cursor, Windsurf, Google Antigravity, and Trae—whereby hardcoded lists of "recommended" extensions pointed to namespaces that were unclaimed in the OpenVSX extension registry. Threat actors could exploit this by registering these namespaces and publishing malicious extensions, leveraging user trust in built-in recommendations. The risk affected any developer using these IDE forks, potentially opening the door for supply chain malware. After reporting, project maintainers began removing vulnerable recommendations and placeholder, non-functional extensions were uploaded to block exploitation. No evidence of active malicious abuse was found prior to remediation.
This incident underscores the growing risk of software supply chain attacks, particularly via open-source repositories and trusted platform recommendations. As more AI-powered tools automate software development environments, attackers are increasingly targeting overlooked dependency and plugin ecosystems, forcing organizations to enhance extension and third-party controls.
Why This Matters Now
Supply chain vulnerabilities in developer tools can be weaponized quickly as development platforms become more automated and reliant on registries. The incident is a clear warning that trust in recommended integrations must be backed by strong registry governance and verification, especially given the proliferation of open-source forks and AI-driven dev environments.
Attack Path Analysis
An attacker exploited hardcoded extension recommendations in forked VSCode IDEs by registering unclaimed namespaces on the OpenVSX marketplace, allowing the upload of malicious extensions (Initial Compromise). Once a user installed such an extension, the attacker could leverage the extension's privileges for local or cloud data access (Privilege Escalation). The attacker might use the extension to laterally access files, credentials, or other connected cloud services and developer environments (Lateral Movement). Next, the malicious extension could establish command and control by communicating with external servers or receiving instructions (Command & Control). Data exfiltration would occur as sensitive info is sent out over unmonitored or unfiltered egress (Exfiltration). Finally, the attacker could impact the victim by deploying malware, altering codebases, or achieving persistent access (Impact).
Kill Chain Progression
Initial Compromise
Description
Threat actors claimed unregistered extension namespaces in OpenVSX, uploading malicious extensions that were then recommended and installed via trusted IDE prompts.
MITRE ATT&CK® Techniques
Techniques reflect supply chain compromise and extension abuse risks, aligned for SEO/filtering; full enrichment to follow in STIX/TAXII.
Supply Chain Compromise
Valid Accounts: Local Accounts
User Execution: Malicious File
Compromise Client Software Binary
Event Triggered Execution: IDE Extension
Trusted Relationship
Phishing: Spearphishing via Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of All Software Components
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Application Security and Integrity Controls
Control ID: PILLAR 3: Applications (Configuration Management)
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting VSCode IDE forks expose software developers to malicious extension recommendations, compromising development environments and code integrity.
Information Technology/IT
IT organizations using AI-powered IDEs like Cursor and Windsurf face namespace hijacking risks through unclaimed OpenVSX extensions recommendations.
Computer/Network Security
Cybersecurity firms developing tools on affected IDEs vulnerable to supply chain compromises through malicious extensions masquerading as legitimate recommendations.
Financial Services
Financial institutions' development teams using compromised IDEs risk code tampering and data exfiltration through malicious extensions in secure application development.
Sources
- VSCode IDE forks expose users to "recommended extension" attackshttps://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/Verified
- AI IDEs pushed fake extensions, posing malware risk, say researchershttps://www.scworld.com/news/ai-ides-pushed-fake-extensions-posing-malware-risk-say-researchersVerified
- AI-powered VS Code forks expose developers to extension supply chain riskshttps://www.cybersecurity-help.cz/blog/5161.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress controls, and real-time threat detection would have restricted the unauthorized installation and activity of malicious extensions, limited their access within the environment, and prevented or identified suspicious outbound traffic indicative of compromise.
Control: Cloud Firewall (ACF)
Mitigation: Malicious extension downloads can be blocked based on reputation, FQDN, or threat signatures.
Control: Zero Trust Segmentation
Mitigation: Extension processes are isolated from broader data and network scope.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral communications are detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: C2 traffic is blocked or flagged for investigation.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious data flows and exfiltration attempts prompt alerting and response.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Automated response isolates affected workloads and enforces integrity controls.
Impact at a Glance
Affected Business Functions
- Software Development
- Application Security
- IT Operations
Estimated downtime: 0 days
Estimated loss: $0
Potential exposure of source code, developer credentials, and sensitive project information due to installation of malicious extensions.
Recommended Actions
Key Takeaways & Next Steps
- • Implement cloud firewall egress filtering to block downloads of untrusted or suspicious marketplace extensions.
- • Enforce Zero Trust segmentation to restrict extension and IDE processes to strictly necessary data and network resources.
- • Monitor for anomalous outbound traffic and rapidly respond to threat activity detected within developer environments.
- • Apply east-west traffic controls to prevent unapproved internal lateral movement from compromised workloads.
- • Automate extension and plugin governance by maintaining explicit allowlists and reviewing publisher reputations regularly.
