News: 0180519437

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

VSCode IDE Forks Expose Users To 'Recommended Extension' Attacks (bleepingcomputer.com)

(Monday January 05, 2026 @05:40PM (msmash) from the PSA dept.)


An anonymous reader shares a report:

> Popular AI-powered integrated development environment solutions, such as Cursor, Windsurf, Google Antigravity, and Trae, [1]recommend extensions that are non-existent in the OpenVSX registry, allowing threat actors to claim the namespace and upload malicious extensions.

>

> These AI-assisted IDEs are forked from Microsoft VSCode, but cannot use the extensions in the official store due to licensing restrictions. Instead, they are supported by OpenVSX, an open-source marketplace alternative for VSCode-compatible extensions. As a result of forking, the IDEs inherit the list of officially recommended extensions, hardcoded in the configuration files, which point to Microsoft's Visual Studio Marketplace.



[1] https://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/


LLMs making shit up? (Score:1)

by liqu1d ( 4349325 )

Tell me it ain't so!

Re: (Score:1)

by SumDog ( 466607 )

Well, it shows you didn't read the article, because that's not what's happening.

Open core software problem - need clean forks (Score:2)

by AleRunner ( 4556245 )

This shows the danger of forgetting ideology and politics* in your software development and more importantly purchasing. In order to safely use an open core product like VScode or RedHat using a fork is absolutely crucial but it's not enough. You need a project like Rocky Linux or VSCodium and that project needs to be seriously supported to rip out all trace of the upstream vendor. The other forks then need to fork from that fork not the original. Someone needs to care about getting full control of the soft

Re: (Score:2)

by TurboStar ( 712836 )

What the hell are you ranting about? The exploit is because the forks overloaded .vscode/extensions.json to work on both OpenVSX and MS repos. The forks just need a different filename like .vscode/openvsk.json. It's not ideology and politics, it's "oops, didn't think of that".

Gold coast slave ship bound for cotton fields
Sold in a market down in New Orleans
Scarred old slaver knows he's doing alright
Hear him whip the women, just around midnight

Ah, brown sugar how come you taste so good?
Ah, brown sugar just like a young girl should

Drums beating cold English blood runs hot
Lady of the house wonderin' where it's gonna stop
House boy knows that he's doing alright
You should a heard him just around midnight.
...
I bet your mama was tent show queen
And all her girlfriends were sweet sixteen
I'm no school boy but I know what I like
You should have heard me just around midnight.
-- Rolling Stones, "Brown Sugar"