Popular AI-powered forks of Microsoft Visual Studio Code (VS Code), including Cursor, Windsurf, Google Antigravity, and Trae, have been found to recommend extensions that do not exist in the Open VSX registry, potentially exposing developers to supply chain attacks.
According to security firm Koi, the integrated development environments (IDEs) inherit Microsoft’s official extension recommendations from the Visual Studio Marketplace. However, many of those extensions are missing from Open VSX, the alternative registry used by the VS Code forks. The result is a gap where unclaimed extension namespaces can be hijacked by malicious actors.
“The problem: these recommended extensions didn't exist on OpenVSX. The namespaces were unclaimed. Anyone could register them and upload whatever they wanted,” the researchers explained.
An attacker could exploit this by publishing a malicious extension under a trusted name, such as ms-ossdata.vscode-postgresql.
In practice, this means a developer with PostgreSQL installed might see a prompt reading “Recommended: PostgreSQL extension.” Installing it could instead deploy a rogue extension capable of stealing credentials, secrets, or source code. Koi said that its own placeholder PostgreSQL extension was installed more than 500 times.
Following responsible disclosure, Cursor, Windsurf, and Google have released fixes to prevent the issue. The Eclipse Foundation, which maintains Open VSX, has also removed non-official contributors and implemented broader registry-level safeguards to reduce the risk of similar attacks in the future.
