Well-liked AI-powered built-in improvement setting options, similar to Cursor, Windsurf, Google Antigravity, and Trae, advocate extensions which are non-existent within the OpenVSX registry, permitting menace actors to say the namespace and add malicious extensions.
These AI-assisted IDEs are forked from Microsoft VSCode, however can not use the extensions within the official retailer resulting from licensing restrictions. As a substitute, they’re supported by OpenVSX, an open-source market different for VSCode-compatible extensions.
On account of forking, the IDEs inherit the checklist of formally really helpful extensions, hardcoded within the configuration recordsdata, which level to Microsoft’s Visible Studio Market.
These suggestions are available in two varieties: one file-based, triggered when opening a file similar to azure-pipelines.yaml, and recommends the Azure Pipelines extension; the opposite is software-based, occurring when detecting that PostgreSQL is put in on the developer’s system and suggesting a PostgreSQL extension.
supply: Koi
Nonetheless, not the entire really helpful extensions exist on OpenVSX, so the corresponding writer namespaces are unclaimed.
Researchers at supply-chain safety firm Koi say {that a} menace actor may reap the benefits of customers’ belief in app suggestions and register the unclaimed namespaces to push malware.
.jpg)
The researchers reported the problem to Google, Windsurf, and Cursor in late November 2025. Cursor reacted on December 1st by fixing the vulnerability. Google eliminated initially eliminated 13 extension suggestions from its IDE on December 26, and marked the problem as mounted on January 1st. Windsurf has but to reply to the researchers.
In the meantime, Koi researchers claimed the namespaces of the next extensions to stop malicious exploitation:
- ms-ossdata.vscode-postgresql
- ms-azure-devops.azure-pipelines
- msazurermtools.azurerm-vscode-tools
- usqlextpublisher.usql-vscode-ext
- cake-build.cake-vscode
- pkosta2005.heroku-command
The researchers uploaded non-functional placeholder extensions that supply no actual performance however nonetheless block a supply-chain assault.
Moreover, they’ve coordinated with Eclipse Basis, the operator of OpenVSX, to confirm the remaining referenced namespaces, take away non-official contributors, and apply broader registry-level safeguards.
At the moment, there’s no indication that malicious actors have exploited this safety hole earlier than Koi researchers’ discovery and motion.
Customers of forked IDEs are suggested to at all times confirm extension suggestions by manually accessing the OpenVSX registry and checking that they arrive from a good writer.
Replace [Jannuary 5, 14:09 EST]: Article edited to mirror that Cursor knowledgeable Koi researchers that it mounted the issue on December 1st, 2025.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your staff construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
