Several leading AI-powered integrated development environments (IDEs) automatically recommended extensions that did not exist, posing the risk that threat actors would create malicious extensions of the same name, Koi Security reported Tuesday.Cursor, Windsurf and Google Antigravity, which are all forked from Microsoft’s Visual Studio Code (VS Code), were all found by Koi to inadvertently inherit a VS Code configuration file that proactively recommends certain VS Code extensions to users.However, these extensions come from the VS Code Marketplace, which can only be accessed via Microsoft products, whereas Cursor, Windsurf and Google Antigravity all use OpenVSX as their extension marketplace.This created a scenario where some extensions with unclaimed namespaces in OpenVSX were actively promoted to developers by their IDE — an opportunity for malicious actors to claim these extension names and distribute their own malware-laced extensions.
Related reading:
Koi identified more than a dozen recommendations made by these IDEs, some of which were made automatically when the user opened a certain file and some of which were based on the software the user had installed on their machine.For example, opening the file azure-pipelines.yaml would lead to an automatic recommendation for the azure-pipelines extension, and having PostgreSQL installed would cause the IDE to automatically recommend the extension vscode-postgresql, Koi explained.These recommendations would appear as popups with an “Install” button, without the user searching for extensions themselves.To help prevent threat actors for claiming the names of the nonexistent extensions, Koi created six of these recommended extensions as placeholders, including vscode-postgresql and azure-pipelines.For the other recommended extensions, whose names had already been claimed in OpenVSX, the security company reached out to the Eclipse Foundation, which maintains OpenVSX. The Eclipse Foundation verified that the remaining extensions were safe and removed any non-official contributors from the extensions.Koi also reached out to Cursor, Windsurf and Google to alert them about the erroneous recommendations. Cursor fixed the issue in December 2025; Google fixed the issue on Jan. 1, 2026, following additional clarifications from Koi after initially closing the report without a fix. Koi stated it never received a response from Windsurf.
The company noted that, although the extensions it created are explicitly stated to be placeholders with no functionality, more than 1,000 users have installed them, demonstrating the risk of users installing extensions without looking into them due to their trust in their IDE. Malicious IDE extensions have made their way onto marketplaces including the VS Code Marketplace and OpenVSX before, notably the self-propagating GlassWorm malware that targets OpenVSX, GitHub and npm credentials in addition to cryptocurrency wallet details. A fourth wave of GlassWorm attacks targeting macOS was exposed late last month, involving three malicious extensions in OpenVSX.Researchers from ReversingLabs also previously flagged an issue in the VS Code Marketplace that could allow threat actors to reuse the names of extensions that were previously removed from the marketplace.
Application security, AI/ML, Critical Infrastructure Security, Supply chain, DevSecOps

AI IDEs pushed fake extensions, posing malware risk, say researchers


Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



