Ethical Hacking News
Threat actors have discovered a way to exploit vulnerabilities in popular VS Code forks by claiming non-existent extensions with placeholder names. This oversight has created supply chain risks for developers who rely on these IDEs, highlighting the need for improved verification processes to ensure software packages are authentic and secure.
Several AI-powered VS Code forks have been found to recommend non-existent extensions.The issue lies in the lack of scrutiny for extensions in these IDEs, allowing attackers to register spoofed extensions.Rogue extensions with malicious names were discovered, including ms-ossdata.vscode-postgresql and ms-azure-devops.azure-pipelines.Developers must take steps to verify the authenticity of software packages before installing them.The incident highlights the need for improved supply chain security in open-source ecosystems.
Threat actors and cybersecurity researchers have long been aware of the importance of verifying the authenticity of software packages, especially those that are part of open-source ecosystems. However, a recent discovery has shed light on a critical vulnerability in one of the most widely used integrated development environments (IDEs) for coding – Microsoft's popular VS Code forks.
In a study published by Koi, a cybersecurity firm specializing in threat intelligence and cloud security, researchers found that several AI-powered VS Code forks, including Cursor, Windsurf, Google Antigravity, and Trae, have been recommending extensions that do not exist in the Open VSX registry. This oversight has created a supply chain risk that can be exploited by malicious actors to upload rogue extensions to the platform.
The problem lies in the way these IDEs inherit their list of recommended extensions from Microsoft's official extensions marketplace. Unlike Open VSX, which requires extensions to be officially registered and reviewed before they are added to the registry, the AI-powered forks do not perform this level of scrutiny. As a result, it is possible for an attacker to register a non-existent extension with a placeholder name, effectively spoofing a legitimate one.
The implications of this discovery are far-reaching and can have severe consequences for developers who rely on these IDEs for their work. According to Koi, some of the extensions that were claimed by malicious actors as part of the study include ms-ossdata.vscode-postgresql, ms-azure-devops.azure-pipelines, and msazurermtools.azurerm-vscode-tools.
The fact that developers are downloading these rogue extensions simply because they are recommended by their IDEs highlights a critical issue with the current state of supply chain security in open-source ecosystems. It is not enough for developers to assume that the software packages they download are authentic; rather, they must take steps to verify the authenticity of each package before installing it.
In response to responsible disclosure, both Cursor and Google have rolled out fixes to address the issue. The Eclipse Foundation, which oversees Open VSX, has since removed non-official contributors and implemented broader registry-level safeguards to prevent similar vulnerabilities in the future.
While this incident serves as a wake-up call for developers and security professionals alike, it is essential to recognize that it is not an isolated incident. Threat actors are increasingly focusing on exploiting the security gaps in extension marketplaces and open-source repositories, making it crucial for developers to remain vigilant and exercise caution when downloading software packages.
In conclusion, this recent discovery highlights the critical need for improved supply chain security in open-source ecosystems. As AI-powered tools continue to dominate the coding landscape, it is essential that developers and security professionals work together to develop more robust verification processes to ensure that the software packages they rely on are authentic and secure.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Underbelly-of-Open-Source-Unpacking-the-Supply-Chain-Risks-of-Microsofts-Popular-VS-Code-Forks-ehn.shtml
https://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html
Published: Tue Jan 6 06:49:06 2026 by llama3.2 3B Q4_K_M
