AI-powered integrated development environments (IDEs) have undeniably transformed software development, with solutions such as Cursor, Windsurf, Google Antigravity and Trae placing predictive intelligence at the heart of the developer experience. These platforms not only recommend code snippets but also suggest extensions that promise to streamline workflows and boost productivity. However, recent findings underscore a significant security concern: the inadvertent recommendation of non-existent extensions is creating notable vulnerabilities for developers and organisations alike.
IDEs now frequently propose extensions to enhance productivity, but in practice, many of these suggestions reference packages that are not actually present in the OpenVSX registry—a common extension marketplace for many VSCode derivatives. This gap opens the door to abuse: threat actors can identify these unregistered extension names, claim them, and upload malicious payloads under what appears to be a legitimate banner. The risk is comparable to leaving unused subdomains open to hijacking, but in this case, the vector is embedded in trusted developer tools.
Popular AI-powered IDEs can recommend extensions by name, regardless of whether they exist. Anyone with an account can register these names in OpenVSX, as there is minimal oversight or vetting. Developers—often trusting the authority of their tools—may unwittingly install these malicious extensions, believing them to be sanctioned and safe.
The result is a potentially wide attack surface. Within an enterprise environment, all it takes is one misguided installation to introduce risk. Malicious extensions could facilitate code exfiltration, persistent access, or enable lateral movement through internal systems before detection occurs.
Defence against this emerging risk hinges on careful processes rather than simple convenience. Manual verification of recommended extensions is essential; teams should assess both the provenance and reputation of any package before installation. Where possible, organisations should consider restricting extension sources through policy, for example, by enabling only pre-approved or internally hosted extension galleries. Raising developer awareness is also fundamental—automation in developer tooling should always be complemented by informed scrutiny.
With AI-driven development platforms increasingly shaping workflows, it is imperative that security and operations teams stay ahead of supply chain threats. The maxim to trust, but verify applies just as much to the tools themselves as to the code they help produce. As these platforms become more integrated into daily work, applying vigilance at every layer of automation will be critical.
*Original report: https://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/*
