Security researchers have discovered three serious vulnerabilities in four popular VS Code extensions, which have been downloaded more than 120 million times.
Developers store their most sensitive information on local systems that are accessible via the IDE. This includes business logic, API keys, database configurations, environment variables, and sometimes even customer data. Researchers at OX Security discovered that a single malicious extension, or a single vulnerability in a single extension, is enough to enable lateral movement and compromise entire organizations.
VS Code’s verification mechanisms can be manipulated, allowing malicious extensions to maintain “verified” status while executing harmful commands at the OS level. The problem extends to Cursor and Windsurf, two popular alternatives that use the same extension infrastructure.
The danger lies in the movement capabilities within connected networks. When extensions are executed on an endpoint running a localhost server, there is a high risk of exposing sensitive data and potentially taking over the machine. Compromised development environments expose organizations to ongoing risks throughout the software lifecycle.
No response from maintainers
OX Security reported all three vulnerabilities in July and August 2025 via responsible disclosure. To date, none of the maintainers has responded. The security researchers attempted to reach them through multiple channels, including direct email, GitHub pages, and social networks.
According to OX Security, multiple solutions are needed. First, mandatory security assessments must be completed before extensions are published to marketplaces, similar to app store vetting. In addition, automated vulnerability scans with AI-powered security testing tools are used to analyze new extensions before they reach developers.
Finally, enforceable response requirements are needed for maintainers of popular extensions, including mandatory CVE issuance and patch deadlines. The current “install at your own risk” model is no longer sustainable. As AI coding assistants accelerate development and increase reliance on IDE extensions, the attack surface is growing exponentially.