Ethical Hacking News
A new vulnerability has been discovered in integrated development environments (IDEs) such as Microsoft Visual Studio Code, allowing malicious extensions to bypass verified status and potentially execute operating system commands on developer machines.
Malicious actors can exploit weaknesses in Visual Studio Code (VS Code) to create fake verified extensions. Flawed verification checks allow publishers to add functionality to extensions without losing their verified status, creating a false sense of trust. A proof-of-concept demonstrated by OX Security allowed the creation of a malicious extension that could execute operating system commands. The vulnerability can be reproduced across other IDEs like IntelliJ IDEA and Cursor. Microsoft has addressed the issue by enabling default extension signature verification across all platforms. Developers are advised to install extensions directly from official marketplaces rather than using VSIX extension files shared online to mitigate risks.
The world of software development is often viewed as a safe haven, where creators and developers can express themselves freely without worrying about the repercussions. However, this safety net has been breached by malicious actors who have found a way to exploit weaknesses in Integrated Development Environments (IDEs) like Microsoft Visual Studio Code.
According to a recent study conducted by OX Security researchers Nir Zadok and Moshe Siman Tov Bustan, flawed verification checks in Visual Studio Code allow publishers to add functionality to extensions while maintaining the verified icon. This results in the potential for malicious extensions to appear verified and approved, creating a false sense of trust.
Specifically, the analysis found that Visual Studio Code sends an HTTP POST request to the domain "marketplace.visualstudio[.]com" to determine if an extension is verified or otherwise. The exploitation method essentially involves creating a malicious extension with the same verifiable values as an already verified extension, such as that of Microsoft, and bypassing trust checks.
As a result, it allows rogue extensions to appear verified to unsuspecting developers, while also containing code capable of executing operating system commands. From a security standpoint, this is a classic case of extension sideloading abuse, where bad actors distribute plugins outside the official marketplace. Without proper code signing enforcement or trusted publisher verification, even legitimate-looking extensions can hide dangerous scripts.
In a proof-of-concept (PoC) demonstrated by the cybersecurity company, the extension was configured to open the Calculator app on a Windows machine, thereby highlighting its ability to execute commands on the underlying host.
By identifying the values used in verification requests and modifying them, it was found that it's possible to create a VSIX package file such that it causes the malicious extension to appear legitimate. OX Security said it was able to reproduce the flaw across other IDEs like IntelliJ IDEA and Cursor by modifying the values used for verification without making them lose their verified status.
In response to responsible disclosures, Microsoft said the behavior is by design and that the changes will prevent the VSIX extension from being published to the Marketplace owing to extension signature verification that's enabled by default across all platforms. However, the cybersecurity company found the flaw to be exploitable as recently as June 29, 2025.
The implications of this vulnerability are far-reaching and pose a serious risk to developers who install extensions from online resources such as GitHub. To mitigate such risks, it's advised to install extensions directly from official marketplaces as opposed to using VSIX extension files shared online.
"The ability to inject malicious code into extensions, package them as VSIX/ZIP files, and install them while maintaining the verified symbols across multiple major development platforms poses a serious risk," the researchers said. "This vulnerability particularly impacts developers who install extensions from online resources such as GitHub."
The discovery of this vulnerability highlights the importance of proper verification checks in place to prevent malicious actors from exploiting weaknesses in software development environments. It also underscores the need for developers to be vigilant and cautious when installing extensions, even those that appear legitimate.
In conclusion, the recent study on Visual Studio Code has exposed a critical weakness in the IDE's extension verification process, allowing malicious extensions to bypass verified status and potentially execute operating system commands on developer machines. This highlights the importance of proper code signing enforcement, trusted publisher verification, and caution when installing extensions from online resources.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Flaw-in-IDEs-Like-Visual-Studio-Code-Lets-Malicious-Extensions-Bypass-Verified-Status-ehn.shtml
https://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html
https://cybersecuritynews.com/flaws-vs-code-marketplace-malicious-extensions/
Published: Tue Jul 1 10:56:52 2025 by llama3.2 3B Q4_K_M
