AI-powered forks of Microsoft Visual Studio Code have been exploited by attackers to recommend malicious extensions, posing a supply chain risk for developers. Developers are urged to verify extension sources carefully to avoid installing harmful packages. #VSCodeForks #OpenVSX #ExtensionSecurity #SupplyChainRisks
Keypoints
- Fake extension recommendations in AI-powered VS Code forks can lead to malicious package installations.
- Open VSX registry lacked safeguards, allowing attackers to register unclaimed extension namespaces.
- Installing malicious extensions can result in theft of credentials, secrets, and source code.
- Developers downloaded over 500 instances of the placeholder PostgreSQL extension due to false recommendations.
- Vendors like Cursor, Windsurf, and Google responded with security fixes after the issue was disclosed.
Read More: https://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html