Hackers Exploit Malicious VS Code and Cursor AI Extensions to Target Developers

A recent security investigation by researcher Mazin Ahmed has exposed how malicious extensions can easily compromise the machines of millions of developers using Visual Studio Code (VS Code) and AI-powered IDEs such as Cursor AI, Windsurf, and AWS Kiro.

The research demonstrated that publishing a fully functional backdoor through Microsoft’s official VS Code Marketplace and the open-source OpenVSX Marketplace requires minimal technical sophistication, raising serious alarms for software supply chain security.

Ahmed created a proof-of-concept extension called “Piithon-linter”, disguised as a Python code formatter.

When installed, it executed malicious code whenever VS Code launched, silently exfiltrating system metadata and environment variables containing sensitive tokens and API keys.

Because VS Code inherits shell environment variables, secrets like GITHUB_TOKEN or AWS_SECRET_KEY could be stolen the moment the extension runs.

Despite clear malicious code and network communication functions, the extension passed Microsoft’s malware scanning and sandbox testing unnoticed.

It was listed publicly on the VS Code Marketplace and later published to OpenVSX without issue, which lacked automated security checks.

This allowed the same malicious package to appear across multiple AI-assisted development environments that rely on OpenVSX repositories.

Sandbox Evasion and Full Remote Backdoor

To test more advanced evasion techniques, Ahmed enhanced the extension with endpoint detection and response (EDR) checks and a geofencing rule that terminates malicious actions when executed in Microsoft’s U.S.-based sandbox.

The technique successfully bypassed Microsoft’s dynamic analysis. The enhanced version also embedded the Merlin post-exploitation agent, which could provide remote shell access across Windows, macOS, and Linux systems.

The second version of the extension still evaded detection by both Microsoft’s marketplace and VirusTotal, despite containing plainly malicious patterns.

Because VS Code automatically runs extensions at startup and updates them in the background, a compromised extension could provide persistence and remote update capability, enabling attackers to control infected developer systems long-term.

Ahmed responsibly disclosed all findings to Microsoft, Eclipse Foundation (OpenVSX), and Cursor AI. Microsoft classified the risk as “low severity,” noting that bypassing static analysis is possible and that users should vet extensions themselves.

Cursor AI, meanwhile, introduced publisher verification and malware scanning, though Ahmed’s tests showed the malicious version was still marked safe.

The findings highlight a growing threat: developer-focused supply chain attacks. As extensions gain deep system access, even a single developer’s compromised IDE could expose an entire organization’s infrastructure.

The research underscores the urgent need for stricter extension vetting, real-time behavioral monitoring, and coordinated marketplace-level defenses to safeguard the global software development ecosystem.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hackers Exploit Malicious VS Code and Cursor AI Extensions to Target Developers appeared first on Cyber Security News.