Trusted VSCode forks secretly expose developers to supply-chain attacks through malicious extension recommendations in unclaimed namespaces.

Continue reading
In the race to build the next generation of AI-powered development tools, a critical security oversight has emerged from an unexpected source: the very architecture that enables rapid innovation. Popular Integrated Development Environments (IDEs) like Cursor, Windsurf, Google Antigravity, and Trae—all forked from Microsoft's open-source Visual Studio Code—are inadvertently exposing users to sophisticated supply chain attacks through a seemingly benign feature: extension recommendations.
These AI-assisted platforms, while pushing the boundaries of developer productivity, have inherited a hidden vulnerability from their parent codebase. Due to licensing restrictions, these forks cannot connect to Microsoft's official Visual Studio Marketplace. Instead, they rely on OpenVSX, an open-source alternative registry for VSCode-compatible extensions. This architectural divergence has created a dangerous gap between intention and execution when it comes to extension recommendations—a gap threat actors are poised to exploit.
The vulnerability operates through two distinct recommendation pathways, both hardcoded into the forked IDEs:
The critical failure occurs because these recommendations—copied directly from VSCode's configuration—point to extensions in Microsoft's marketplace that do not exist in the OpenVSX registry. This leaves their corresponding publisher namespaces unclaimed and available for registration by anyone, including malicious actors.
Researchers from supply-chain security firm Koi identified this security gap and demonstrated how threat actors could:
The table below outlines some of the critical namespaces that were vulnerable:
| Extension Namespace | Associated Technology | Risk Level |
|---|---|---|
| `ms-ossdata.vscode-postgresql` | PostgreSQL | High |
| `ms-azure-devops.azure-pipelines` | Azure DevOps | High |
| `msazurermtools.azurerm-vscode-tools` | Azure Resource Manager | Medium |
| `usqlextpublisher.usql-vscode-ext` | Azure Data Lake | Medium |
In late November 2025, Koi researchers responsibly disclosed their findings to the affected companies. The response timeline reveals concerning disparities in security prioritization:
This incident highlights a growing tension in the developer tools ecosystem: the push for AI-enhanced productivity versus foundational security hygiene. Forking established platforms like VSCode enables rapid feature development but also blindly inherits security assumptions that may not hold in new contexts.
This vulnerability represents more than just another extension security issue—it exposes systemic weaknesses in how we manage forked software ecosystems:
For developers using forked VSCode variants, several protective measures are essential:
For the industry, this incident signals the need for:
The unclaimed namespace vulnerability in VSCode forks represents a paradigm case of modern software supply chain risk—where well-intentioned architectural decisions based on licensing, forking, and ecosystem development inadvertently create security gaps. As the AI-powered IDE landscape continues to evolve at breakneck speed, security cannot remain an inherited afterthought.
The rapid response from some players (Google) and concerning silence from others (Cursor, Windsurf) paints a fragmented security picture in an increasingly critical developer tools segment. What begins as a convenient extension recommendation could end as a sophisticated software supply chain attack, compromising not just individual developers but the integrity of the applications they build.
As we delegate more of our development workflow to AI-assisted tools, we must simultaneously strengthen the human oversight of the underlying systems that make these innovations possible. The forks in our code have created forks in our security responsibility—and bridging these gaps will determine whether the next generation of development tools empowers developers or endangers them.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation