VSCode IDE Forks Expose Users to Recommended Extension Attacks

The article from BleepingComputer details a security vulnerability in several forks of the Visual Studio Code (VSCode) Integrated Development Environment (IDE), including Cursor, Windsurf, Google Antigravity, and Trae. These forks recommend extensions that are not listed in the OpenVSX registry, the official registry for VSCode extensions. This practice allows malicious actors to register these unclaimed extension names and publish malicious versions. Users who install these recommended extensions risk executing arbitrary code, potentially leading to significant security compromises. The vulnerability is specific to these forks and does not affect the official VSCode IDE. The article does not provide specific details on the number of extensions affected or the exact timeline of when this vulnerability was discovered. Technically, this issue represents a supply chain attack vector where the trust in recommended extensions is exploited. The lack of registration in the OpenVSX registry means there is no verification process for these extensions, making it easier for malicious actors to distribute harmful code. The impact on the cybersecurity landscape is notable as it highlights the risks associated with using modified versions of popular software. It underscores the importance of extension registry integrity and robust verification processes for third-party extensions. For cybersecurity professionals, this serves as a reminder of the potential dangers of unverified extensions and the importance of maintaining strict control over the software supply chain. Users of these forks should exercise caution and verify the authenticity of recommended extensions to mitigate the risk of installing malicious code.