You may be installing what appears to be a "verified" extension in your trusted code editor only to discover it’s actually a cleverly disguised trojan horse. A recent study has spotlighted this alarming scenario, revealing a major vulnerability in how popular integrated development environments (IDEs) like Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor verify third-party extensions.
Inside the Verification Flaw
Researchers at OX Security uncovered that the extension verification process for Visual Studio Code and similar IDEs is not as robust as many assume. Attackers can mimic verification values, those typically reserved for official Microsoft extensions, to create malicious plugins that still carry the "verified" badge. This simple trick can easily mislead developers into placing undue trust in harmful extensions.
- Verification Loophole: Visual Studio Code’s verification uses an HTTP POST request to check extension status, but this mechanism can be falsified by attackers.
- Extension Sideloading: Malicious actors can distribute compromised VSIX or ZIP extension files independently of official marketplaces, bypassing existing security controls.
- Proof of Concept: The researchers demonstrated the danger by creating a fake extension that looked verified but executed arbitrary OS commands, such as launching the Windows Calculator.
Impact Across Multiple IDEs
This vulnerability is not exclusive to Visual Studio Code. The same technique was successfully applied to other top IDEs, including IntelliJ IDEA and Cursor, simply by altering verification values. Consequently, developers relying solely on the verified symbol for security may be at risk across several platforms.
Attack Vectors and Security Risks
This flaw enables classic extension sideloading attacks, where extensions that appear legitimate are weaponized to execute commands on a developer’s machine. Since IDEs often have access to sensitive code and credentials, the fallout from such attacks can be severe.
- Malicious extensions can be spread through unofficial sources like GitHub or direct downloads.
- Without enforced code signing or more rigorous publisher verification, attackers can easily impersonate trusted sources.
- Remote code execution via malicious extensions can result in data breaches, credential theft, and broader supply chain compromises.
Vendor Response and Remaining Threats
Microsoft acknowledged the issue, stating that signature verification is enabled by default across platforms, preventing such extensions from being published on the official Marketplace. However, OX Security researchers were able to exploit the flaw as recently as June 2025, suggesting that risks persist, especially through unofficial distribution channels and sideloaded extensions.
Staying Secure: What Developers and Organizations Should Do
The key message is clear: Don’t rely on the verified symbol alone. Developers should always install extensions from official marketplaces and avoid sideloading VSIX or ZIP files from unknown sources. Security teams should regularly audit extensions in use and consider stricter code signing and publisher verification policies to reduce risk.
Conclusion
This incident serves as a powerful reminder that even reputable platforms are not immune to sophisticated threats. As attackers evolve their tactics to exploit trust mechanisms, both developers and organizations need to prioritize a layered approach to IDE security and remain vigilant against new threats.
Source: The Hacker News
Malicious Extensions Can Fake Verification in Popular IDEs