AI IDE forks exposed by OpenVSX namespace hijack in built-in extension recommendations
Overview
Koi found that popular AI IDEs forked from VS Code (Cursor, Windsurf, Google Antigravity, Trae) inherit hardcoded extension recommendations that point to Microsoft’s marketplace, but those extensions don’t always exist on OpenVSX (the registry these IDEs actually use). Unclaimed namespaces on OpenVSX could be registered by attackers to ship malicious lookalike extensions that the IDE proactively recommends based on files or installed software. Koi preemptively claimed several risky namespaces (e.g., PostgreSQL, Azure Pipelines, ARM tools) with placeholder packages to reduce immediate risk.
All Sources
Story Timeline
AI IDE forks exposed by OpenVSX namespace hijack in built-in extension recommendations
Koi found that popular AI IDEs forked from VS Code (Cursor, Windsurf, Google Antigravity, Trae) inherit hardcoded extension recommendations that point to Microsoft’s marketplace, but those extensions don’t always exist on OpenVSX (the registry these IDEs actually use). Unclaimed namespaces on OpenVSX could be registered by attackers to ship malicious lookalike extensions that the IDE proactively recommends based on files or installed software. Koi preemptively claimed several risky namespaces (e.g., PostgreSQL, Azure Pipelines, ARM tools) with placeholder packages to reduce immediate risk.