AI VS CODE FORKS CAN PROMPT NONEXISTENT OPEN VSX EXTENSIONS
AI-powered VS Code forks (Cursor, Windsurf, Google Antigravity, Trae) inherit extension recommendations from Microsoft’s marketplace, but some recommended exten...
AI-powered VS Code forks (Cursor, Windsurf, Google Antigravity, Trae) inherit extension recommendations from Microsoft’s marketplace, but some recommended extension names don’t exist in Open VSX, the registry these forks rely on. This gaps creates a name-squatting avenue where attackers could publish malicious packages under those names; prompts can be file-based or software-based, increasing exposure.
Developers may trust IDE prompts and install malicious extensions that mimic expected names.
AI IDE pilots in SDLC widen the attack surface via unmanaged extension sources.
-
terminal
Enforce extension allowlists and publisher verification in AI IDEs/devcontainers, and disable or gate extension recommendation prompts.
-
terminal
Route forks to a private or curated Open VSX proxy and alert on newly created packages matching recommended names.
Legacy codebase integration strategies...
- 01.
Audit existing repos and machines for extensions.json/devcontainer.json entries pointing to nonexistent or unpinned extensions and block installs via MDM.
- 02.
Migrate to a managed marketplace mirror with signed, vetted publishers and backfill an org-wide allowlist for common toolchains.
Fresh architecture paradigms...
- 01.
Standardize on one IDE distribution and a curated extension source, pinning publisher@version in templates and devcontainers.
- 02.
Add CI checks to validate repo-level recommendations against your allowlist before rollout.