Several popular AI-driven code editors built on Visual Studio Code are raising new supply-chain security concerns after researchers found they recommend extensions that don’t actually exist in the Open VSX registry.
The affected tools include VS Code forks such as Cursor, Windsurf, Google Antigravity, and Trae. While these editors rely on Open VSX for extensions, they still inherit Microsoft’s extension recommendations, creating a dangerous mismatch.
Security firm Koi explained that many of the extensions being recommended by these IDEs do not exist in Open VSX at all. Worse, the extension names were unclaimed, meaning anyone could register them and upload a package under a trusted-looking name.
VS Code recommendations typically appear in two ways. Some are file-based, showing pop-up suggestions when a developer opens certain file types. Others are software-based, triggered when tools like PostgreSQL are detected on the system.
According to Koi researcher Oren Yomtov, the real issue is that these recommended extensions simply weren’t present in Open VSX. That left the namespaces wide open for abuse.
In practical terms, this means an attacker could publish a malicious extension using a familiar name such as ms-ossdata.vscode-postgresql. When a developer with PostgreSQL installed opens one of these AI-powered editors and sees a “Recommended” prompt, installing it takes just one click.
That small moment of trust can have serious consequences. A malicious extension could steal credentials, API keys, source code, or other sensitive data. To illustrate the risk, Koi registered several placeholder extensions and found that one PostgreSQL-related package alone was downloaded more than 500 times, simply because it appeared as an IDE recommendation.
Some of the extension names that were found unclaimed and later registered as placeholders include:
- ms-ossdata.vscode-postgresql
- ms-azure-devops.azure-pipelines
- msazurermtools.azurerm-vscode-tools
- usqlextpublisher.usql-vscode-ext
- cake-build.cake-vscode
- pkosta2005.heroku-command
Following responsible disclosure, Cursor, Windsurf, and Google have released fixes to prevent invalid recommendations. The Eclipse Foundation, which maintains Open VSX, has also taken action by removing non-official contributors and strengthening registry-level protections.
This incident is another reminder that attackers are increasingly targeting extension marketplaces and open-source ecosystems. Developers should treat extension recommendations with caution, verify publishers carefully, and avoid installing packages solely because an IDE suggests them.
In modern development environments, convenience without verification can quietly turn into a security liability.