A security researcher from Koi Security stumbled upon a critical zero-day buried deep in the infrastructure powering today’s AI coding tools. Had it been exploited, a non-sophisticated attacker could’ve hijacked over 10 million machines with a single stroke.
AI coding assistants like Cursor and Windsurf have exploded in popularity, promising supercharged productivity for developers around the world. Behind their sleek interfaces lies a shared foundation: community-built VS Code forks and an open marketplace of extensions that powers the magic. But, with this new wave of developer tooling comes a dangerous blind spot.
Dubbed VSXPloit: A single overlooked flaw in OpenVSX - a critical component in the developer supply chain - allowed silent, full-system compromise on any machine running a VS Code fork. One bug. Total control.
Let’s dive in.
Today’s AI-powered editors heavily rely on extensions to deliver their most basic functionality. Features like syntax highlighting, linting, and debugging aren’t hardcoded into the editor - they are provided by extensions.
Each of these extensions runs with full privileges on the developer’s machine. This in turn means that a single compromised extension can lead to full machine takeover of anyone who installs it.
This exact nightmare scenario is what security researcher Oren Yomtov from Koi Security, a company providing a platform for securing software provisioning and extensions, stumbled upon.
In a recent post Yomtov explains that while examining the build process behind OpenVSX, the open-source marketplace powering extensions for tools like Cursor, Windsurf, VSCodium, and others, he discovered a critical flaw.
The vulnerability allowed any attacker, not only to gain control over a single extension, but an supply chain armageddon, gaining full control over the entire marketplace.
Given this flaw, any attacker could push malicious updates under the trusted @open-vsx account. At first, Yomtov assumed it had to be a mistake, this code had been running for years, used by tens of millions. But when he recreated the attack in his lab, the simulation worked flawlessly.
... continue reading