The Developer’s Trap: How AI IDEs Like Cursor and Windsurf Risked a Silent Supply Chain Attack

Popular IDEs with AI assistants—such as Cursor, Windsurf, Google Antigravity, and Trae—have been found vulnerable to a supply-chain attack. These environments prompt users to install extensions that are absent from the OpenVSX catalog. The danger lies in the fact that such unclaimed names can be registered by anyone, allowing a malicious actor to publish a harmful extension under a trusted brand.

These development environments are built on a fork of Microsoft’s VS Code but, due to licensing restrictions, cannot use the official Visual Studio Marketplace. Instead, they rely on OpenVSX, an open alternative for compatible extensions. This is where a legacy issue from VS Code emerges. The IDE configurations already contain a list of officially recommended extensions, originally designed for Microsoft’s marketplace rather than OpenVSX.

Recommendations surface in two ways. The first is file-based: when a developer opens, for example, an azure-pipelines.yaml file, the IDE suggests installing the Azure Pipelines extension. The second depends on the environment: if the IDE detects PostgreSQL installed on the system, it may recommend an extension for working with that database.

As Koi researchers note, not all extensions on the recommendation list actually exist in OpenVSX. As a result, the corresponding publisher namespaces in the registry may remain unclaimed. According to the researchers, attackers could exploit users’ trust in in-IDE prompts by registering an unused name and uploading a malicious extension. To the user, it would appear as a perfectly legitimate, familiar suggestion originating from the development environment itself.

The issue was reported to Google, Windsurf, and Cursor in late November 2025. Cursor reportedly fixed the vulnerability on December 1. Google removed 13 recommendations on December 26 and marked the issue as resolved on January 1. Windsurf, however, did not provide feedback to Koi researchers regarding the problem.

To mitigate the risk of exploitation, the Koi team preemptively claimed several potentially dangerous namespaces and uploaded inert “placeholder” extensions that perform no actions but prevent impersonation. These include the following extension identifiers: ms-ossdata.vscode-postgresql, ms-azure-devops.azure-pipelines, msazurermtools.azurerm-vscode-tools, usqlextpublisher.usql-vscode-ext, cake-build.cake-vscode, and pkosta2005.heroku-command. The researchers also collaborated with the Eclipse Foundation, which oversees OpenVSX, to review remaining namespaces, remove unauthorized publishers, and implement broader registry-level safeguards.

So far, there is no evidence that attackers exploited this gap before it was discovered and addressed. Nevertheless, users of IDEs based on VS Code forks are advised to treat extension recommendations with caution. It is safer to open the extension’s page in OpenVSX manually and verify the publisher’s identity and credibility before installing anything.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy