A recent security analysis has uncovered that integrated development environments (IDEs) such as Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor contain fundamental flaws in their extension verification processes.
Researchers found that attackers can craft malicious extensions that retain the coveted “verified” badge, deceiving developers into believing they are safe to install.
By manipulating the values used in verification requests, rogue extensions can masquerade as legitimate, even if they contain code capable of executing operating system commands or stealing sensitive information.
This vulnerability is especially dangerous because the verified badge is intended to signal trust and security. When this symbol can be faked, it undermines the entire extension ecosystem, leaving developers exposed to attacks that are difficult to detect through visual cues alone.
Sideloading and Signature Weaknesses Enable Remote Code Execution
The exploitation method hinges on extension sideloading, where attackers distribute VSIX or ZIP extension files outside official marketplaces. Without robust code signing enforcement or trusted publisher verification, these files can be installed while maintaining their verified status.
In one proof of concept, a malicious extension was configured to open the Calculator app on Windows, demonstrating the potential for arbitrary command execution on the host system.
Such attacks pose a severe risk in development environments, where access to credentials, source code, and cloud resources is common. The ease with which attackers can bypass marketplace controls and signature checks makes this a low-barrier entry point for remote code execution and data exfiltration.
Did you know?
The concept of extension marketplaces dates back to the early 2010s, but widespread adoption in developer tools has made them a prime target for cybercriminals. In 2024, a single malicious extension on the VSCode Marketplace was downloaded over 100,000 times before being detected and removed.
Marketplace Controls and Vendor Responses Under Scrutiny
Following responsible disclosure, Microsoft stated that its marketplace would block the publication of such extensions due to signature verification requirements.
However, researchers demonstrated that the flaw remained exploitable as recently as late June 2025, raising concerns about the effectiveness and timeliness of vendor responses. Other major IDEs, including IntelliJ IDEA and Cursor, were also found to be vulnerable to similar verification bypass techniques.
The situation highlights the limitations of relying solely on marketplace controls and automated scanning to ensure extension safety. Previous incidents, such as ransomware and cryptominer extensions slipping through Microsoft’s review process, further underscore the need for more rigorous oversight and transparent changelogs.
ALSO READ | Synthetic Data and Academic Collaboration Position Genesis AI as a Robotics Trailblazer
Real-World Impact: From Ransomware to Credential Theft
Malicious extensions have already caused real damage in the wild. Earlier in 2025, multiple Visual Studio Code extensions were discovered deploying ransomware and cryptominers, infecting hundreds of thousands of users before removal.
Attackers have also leveraged malicious extensions to steal developer credentials, exfiltrate source code, and gain access to cloud and CI/CD environments.
The extensibility that makes modern IDEs powerful also creates a broad attack surface. Developers who install extensions from unofficial sources or fail to audit their tools risk introducing critical vulnerabilities into their workflows.
Best Practices: Mitigating the Risks of Verified Badge Abuse
Given the demonstrated risks, developers and organizations must adopt stricter extension management practices. Installing extensions only from official marketplaces, conducting internal code reviews, and maintaining allowlists of trusted plugins are essential steps.
Monitoring for suspicious activity, such as unexpected PowerShell executions or outbound network calls, can help detect malicious behavior early.
Vendors are urged to enhance code signing enforcement, improve publisher verification, and provide clear, auditable changelogs for all extension updates. Until these controls are universally adopted, the verified badge alone cannot be relied upon as a guarantee of safety.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!