News: 0180519437

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

VSCode IDE Forks Expose Users To 'Recommended Extension' Attacks (bleepingcomputer.com)

(Monday January 05, 2026 @05:40PM (msmash) from the PSA dept.)


An anonymous reader shares a report:

> Popular AI-powered integrated development environment solutions, such as Cursor, Windsurf, Google Antigravity, and Trae, [1]recommend extensions that are non-existent in the OpenVSX registry, allowing threat actors to claim the namespace and upload malicious extensions.

>

> These AI-assisted IDEs are forked from Microsoft VSCode, but cannot use the extensions in the official store due to licensing restrictions. Instead, they are supported by OpenVSX, an open-source marketplace alternative for VSCode-compatible extensions. As a result of forking, the IDEs inherit the list of officially recommended extensions, hardcoded in the configuration files, which point to Microsoft's Visual Studio Marketplace.



[1] https://www.bleepingcomputer.com/news/security/vscode-ide-forks-expose-users-to-recommended-extension-attacks/


LLMs making shit up? (Score:1)

by liqu1d ( 4349325 )

Tell me it ain't so!

Re: (Score:1)

by SumDog ( 466607 )

Well, it shows you didn't read the article, because that's not what's happening.

Open core software problem - need clean forks (Score:2)

by AleRunner ( 4556245 )

This shows the danger of forgetting ideology and politics* in your software development and more importantly purchasing. In order to safely use an open core product like VScode or RedHat using a fork is absolutely crucial but it's not enough. You need a project like Rocky Linux or VSCodium and that project needs to be seriously supported to rip out all trace of the upstream vendor. The other forks then need to fork from that fork not the original. Someone needs to care about getting full control of the soft

Re: (Score:2)

by TurboStar ( 712836 )

What the hell are you ranting about? The exploit is because the forks overloaded .vscode/extensions.json to work on both OpenVSX and MS repos. The forks just need a different filename like .vscode/openvsk.json. It's not ideology and politics, it's "oops, didn't think of that".

A lady with one of her ears applied
To an open keyhole heard, inside,
Two female gossips in converse free --
The subject engaging them was she.
"I think", said one, "and my husband thinks
That she's a prying, inquisitive minx!"
As soon as no more of it she could hear
The lady, indignant, removed her ear.
"I will not stay," she said with a pout,
"To hear my character lied about!"
-- Gopete Sherany