Ethical Hacking News
Four popular VS Code extensions have been found to have vulnerabilities that expose users to cyberattacks, highlighting the need for developers and users to prioritize digital security when using IDEs. With over 125 million installations, these widely used extensions pose a significant threat to users worldwide.
Four popular VS Code extensions, including Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, have been found to be vulnerable to cyberattacks. The affected extensions collectively have over 128 million installations and have been downloaded millions of times, making a significant number of users vulnerable to security breaches. The vulnerabilities discovered in these widely adopted extensions can be exploited to steal local files and execute code remotely, compromising entire organizations. Three of the four affected extensions have been assigned CVEs (Common Vulnerabilities and Exposures) with high CVSS scores, indicating that they are considered highly critical. User actions such as installing poorly designed or malicious extensions, running unnecessary servers, and failing to apply security updates can expose them to these vulnerabilities.
VS Code, a popular integrated development environment (IDE) widely used by developers for its ease of use and flexibility, has been marred by a security flaw that exposes users to potential cyberattacks. According to recent reports, four popular VS Code extensions, each with over 125 million installations, have vulnerabilities that could allow hackers to steal files and execute code remotely.
The OX Security Research team, renowned for its diligence in identifying and reporting software vulnerabilities, has conducted an extensive analysis of these widely used extensions. The report, which was published on February 18, 2026, reveals that the four affected extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
These extensions have collectively been downloaded over 128 million times, rendering a significant number of users vulnerable to security breaches. This alarming statistic highlights the need for developers and users to prioritize security when using VS Code extensions.
The vulnerabilities discovered in these widely adopted extensions are a critical blind spot in modern development security. The report highlights that hackers can exploit these vulnerabilities to steal local files and execute code remotely, compromising entire organizations.
Three of the four affected extensions have been assigned CVEs (Common Vulnerabilities and Exposures), which categorize and track known vulnerabilities across different systems. The first extension, Live Server, has a CVSS (Common Vulnerability Scoring System) score of 9.172M+, indicating that it is considered highly critical. Code Runner, the second affected extension, has a similarly high CVSS score of 7.837M+. The third affected extension, Markdown Preview Enhanced, has an even higher CVSS score of 8.88.5M+.
The fourth affected extension, Microsoft Live Preview, has one-Click XSS (Cross-Site Scripting) capabilities that can be exploited to exfiltrate files from the user's IDE. This feature was fixed in version 0.4.16, but no CVE was issued due to a lack of proper credit for the fix.
IDE extensions act like mini-admins with broad access to users' systems. If users install poorly designed or malicious extensions, attackers can run code, modify files, and take over their machines. Opening a project or clicking on a file can allow attackers to move laterally, steal data, and gain full control of the user's machine.
The experts warn that the current "install at your own risk" model is no longer safe. The lack of accountability and incentives for timely fixes has led to the widespread adoption of poorly designed or malicious extensions. To mitigate this threat, solutions such as mandatory security reviews before publishing, AI-powered vulnerability scanning, and enforceable maintainer response rules are proposed.
Users can take several steps to protect themselves against these vulnerabilities:
1. Avoid opening untrusted HTML while localhost servers are running.
2. Avoid running unnecessary servers.
3. Never paste or run unverified snippets in global settings.json.
4. Install only trusted extensions.
5. Monitor or back up settings.json.
6. Disable or remove non-essential extensions.
7. Harden local networks with firewalls.
8. Promptly apply security updates to IDEs, extensions, OS, and development dependencies.
The experts conclude that the vulnerabilities discovered in these widely adopted VS Code extensions collectively downloaded over 128 million times expose a critical blind spot in modern development security. While organizations invest heavily in securing production environments, the developer's local machine remains a largely unprotected gateway to an organization's most sensitive assets.
In light of this alarming discovery, it is essential for developers and users to prioritize their digital security when using VS Code extensions. The consequences of not taking these precautions can be severe, with attackers exploiting vulnerabilities to steal files, execute code remotely, and compromise entire organizations.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Vulnerabilities-of-a-125-Million-Install-Base-The-Threat-to-VS-Code-Users-ehn.shtml
https://securityaffairs.com/188185/security/vs-code-extensions-with-125m-installs-expose-users-to-cyberattacks.html
https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html
Published: Thu Feb 19 00:58:10 2026 by llama3.2 3B Q4_K_M
