AI IDE FORKS EXPOSED BY OPENVSX NAMESPACE HIJACK IN BUILT-IN EXTENSION RECOMMENDATIONS
Koi found that popular AI IDEs forked from VS Code (Cursor, Windsurf, Google Antigravity, Trae) inherit hardcoded extension recommendations that point to Micros...
Koi found that popular AI IDEs forked from VS Code (Cursor, Windsurf, Google Antigravity, Trae) inherit hardcoded extension recommendations that point to Microsoft’s marketplace, but those extensions don’t always exist on OpenVSX (the registry these IDEs actually use). Unclaimed namespaces on OpenVSX could be registered by attackers to ship malicious lookalike extensions that the IDE proactively recommends based on files or installed software. Koi preemptively claimed several risky namespaces (e.g., PostgreSQL, Azure Pipelines, ARM tools) with placeholder packages to reduce immediate risk.
Proactive IDE recommendations can drive installs of malicious extensions with full system access and silent credential exfiltration.
AI IDEs using OpenVSX increase supply-chain exposure when inherited recommendation IDs map to unclaimed namespaces.
-
terminal
Enforce IDE extension allowlists and pin to approved OpenVSX publishers; disable proactive recommendations via policy.
-
terminal
Red-team a benign placeholder under a lookalike namespace and verify that install is blocked by policy and monitoring.
Legacy codebase integration strategies...
- 01.
Audit developer machines for unverified OpenVSX extensions matching recommended IDs (e.g., ms-ossdata.vscode-postgresql, ms-azure-devops.azure-pipelines) and remove or replace them.
- 02.
Set up an internal OpenVSX proxy/mirror and pin critical extensions; strip or override inherited recommendation IDs in enterprise IDE builds.
Fresh architecture paradigms...
- 01.
Standardize on a managed AI IDE profile with pre-bundled, signed, and allowlisted extensions and recommendation notifications disabled by default.
- 02.
Run devcontainers/remote dev by default to isolate secrets and reduce blast radius if an extension misbehaves.