"Security researchers have discovered three serious vulnerabilities in four popular VS Code extensions, which have been downloaded more than 120 million times. Developers store their most sensitive information on local systems that are accessible via the IDE. This includes business logic, API keys, database configurations, environment variables, and sometimes even customer data. Researchers at OX Security discovered that a single malicious extension, or a single vulnerability in a single extension, is enough to enable lateral movement and compromise entire organizations."
"VS Code's verification mechanisms can be manipulated, allowing malicious extensions to maintain "verified" status while executing harmful commands at the OS level. The problem extends to Cursor and Windsurf, two popular alternatives that use the same extension infrastructure. The danger lies in the movement capabilities within connected networks. When extensions are executed on an endpoint running a localhost server, there is a high risk of exposing sensitive data and potentially taking over the machine."
"OX Security reported all three vulnerabilities in July and August 2025 via responsible disclosure. To date, none of the maintainers has responded. The security researchers attempted to reach them through multiple channels, including direct email, GitHub pages, and social networks. According to OX Security, multiple solutions are needed. First, mandatory security assessments must be completed before extensions are published to marketplaces, similar to app store vetting. In addition, automated vulnerability scans with AI-powered security testing tools are used to analyze new extensions"
Researchers found three serious vulnerabilities across four widely used VS Code extensions with over 120 million downloads. Developers often keep sensitive assets locally in the IDE, including API keys, database configurations, environment variables, business logic, and sometimes customer data. A single malicious extension or one vulnerable extension can enable lateral movement and full organizational compromise. VS Code verification can be manipulated to let extensions remain "verified" while running harmful OS-level commands. The issue also affects Cursor and Windsurf. Exploited extensions on endpoints running localhost servers can expose sensitive data and allow machine takeover. OX Security reported the flaws in July and August 2025 and received no maintainer responses. Recommended mitigations include mandatory pre-publication security assessments, automated AI-powered vulnerability scans, and enforceable maintainer response requirements with CVE issuance and patch deadlines.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]