Cybersecurity researchers have disclosed a supply chain risk in AI-powered VS Code forks such as Cursor, Windsurf, Google Antigravity, and Trae. These IDEs recommend extensions that do not exist in the Open VSX registry, opening the door for malicious packages to be installed inadvertently.
According to Koi Security, these forks inherit extension recommendations from Microsoft's marketplace, but the recommended extensions are unclaimed in Open VSX. Threat actors could exploit this gap to publish rogue extensions, which are then installed when a developer follows the IDE’s recommendation.
“The problem: these recommended extensions didn’t exist on Open VSX. The namespaces were unclaimed. Anyone could register them and upload whatever they wanted,” said Oren Yomtov, Koi security researcher.
Understanding How Attack Works
The Attack utilizes AI-powered IDEs' extension recommendation mechanisms, including:
1. file recommendations based upon the type of file you open. When you open certain file types, you will see a toast notification with a recommendation of an extension to install.
2. Programmatic recommendations based upon programs you have installed. When you have already installed some programs on your computer, you will receive a recommendation for extensions based upon the installation of those specific programs.
For instance, if a Developer opens a .sql file (a PostgreSQL file) and sees a toast notification that says, "Recommended - Install the PostgreSQL extension," that developer might be tempted to install the PostgreSQL extension and thus unknowingly introduce malware onto their system. Malware can give the attacker access to credentials, source code, and secrets stored in the Developer's code repository.
Koi demonstrated this risk through use of a placeholder PostgreSQL extension (ms-ossdata.vscode-postgresql). This placeholder PostgreSQL extension showed that many Developers (over 500 users shown to date) trust IDEs' automatic extension recommendations without validating the source of the recommendation.
A few examples of other placeholder extensions used to demonstrate the same risks are:
1. ms-azure-devops.azure-pipelines
2. msazurermtools.azurerm-vscode-tools
3. usqlextpublisher.usql-vscode-ext
4. cake-build.cake-vscode
5. pkosta2005.heroku-command
Responses and Mitigating Factors
After responsibly disclosing this vulnerability to the public, both Cursor and Google Antigravity rolled out fixes to mitigate the issue through their respective IDEs. In addition, the Eclipse Foundation (Eclipse managing Open VSX), removed all non-official contributors and implemented additional safeguards at the Registry Level.
We recommend to Developers:
1. Before installing any Extension, verify the publisher’s legitimacy.
2. Search the official marketplace for the recommended package.
3. Use caution with AI-Driven IDE extension recommendations that suggest you to install unverified packages.
Cybersecurity Context
With an increasing number of open-source repositories and IDE Marketplace being the target of supply chain attacks, this means that it is becoming more common for developers to be able to weaponize trusted development tools against unsuspecting users. This also demonstrates the potential consequences of not verifying the recommended extensions, and the necessity of being cautious when accepting automated recommendations from IDEs.
Source: The Hacker News
