Popular AI-powered integrated development environment solutions, such as Cursor, Windsurf, Google Antigravity, and Trae, recommend extensions that are non-existent in the OpenVSX registry, allowing threat actors to claim the namespace and upload malicious extensions.
These AI-assisted IDEs are forked from Microsoft VSCode, but cannot use the extensions in the official store due to licensing restrictions. Instead, they are supported by OpenVSX, an open-source marketplace alternative for VSCode-compatible extensions.
As a result of forking, the IDEs inherit the list of officially recommended extensions, hardcoded in the configuration files, which point to Microsoft’s Visual Studio Marketplace.
These recommendations come in two forms: one file-based, triggered when opening a file such as azure-pipelines.yaml, and recommends the Azure Pipelines extension; the other is software-based, occurring when detecting that PostgreSQL is installed on the developer’s system and suggesting a PostgreSQL extension.
Cursor IDE recommends extension not present in OpenVSX
source: Koi
However, not all of the recommended extensions exist on OpenVSX, so the corresponding publisher namespaces are unclaimed.
Researchers at supply-chain security company Koi say that a threat actor could take advantage of users' trust in app recommendations and register the unclaimed namespaces to push malware.
Source: Koi Security
The researchers reported the issue to Google, Windsurf, and Cursor in late November 2025. Google reacted by removing 13 extension recommendations from its IDE on December 26, but Cursor and Windsurf have not responded yet.
... continue reading