Full Report
A new study of integrated development environments (IDEs) like Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor has revealed weaknesses in how they handle the extension verification process, ultimately enabling attackers to execute malicious code on developer machines. "We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality
Analysis Summary
# Vulnerability: Malicious IDE Extensions Bypass Verified Status Checks
## CVE Details
- CVE ID: N/A (Specific CVE not assigned in the provided text)
- CVSS Score: N/A (Score not provided)
- CWE: N/A (CWE not explicitly stated, related to Trust/Verification Bypass)
## Affected Systems
- Products: Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, Cursor
- Versions: Not specified, applicable to versions where the verification check mechanism is present.
- Configurations: Affects extensions distributed outside the official marketplace or those that mimic verified extensions.
## Vulnerability Description
The vulnerability resides in the extension verification checks performed by several IDEs, including Visual Studio Code. Attackers can bypass trust checks by creating a malicious extension (VSIX package file) that contains the same verifiable values as an already verified extension (e.g., one published by Microsoft). This manipulation causes the malicious extension to display the "verified" icon to the developer, even though it contains code capable of executing arbitrary operating system commands (similar to extension sideloading abuse).
## Exploitation
- Status: PoC available (A PoC demonstrated opening the Windows Calculator application)
- Complexity: Low
- Attack Vector: Network (The initial setup/installation relies on the user interacting with the deceptive extension)
## Impact
- Confidentiality: High (Due to potential access to sensitive credentials and source code in the development environment)
- Integrity: High (Ability to execute arbitrary OS commands)
- Availability: Medium (Potential for system disruption depending on the payload)
## Remediation
### Patches
- Microsoft stated that changes will prevent the VSIX extension from being published to the Marketplace **due to extension signature verification being enabled by default across all platforms.** (Status needs confirmation if this inherently fixes the bypass observed on June 29, 2025.)
### Workarounds
- Install extensions only from official marketplaces.
- Exercise caution and do not rely solely on the "verified" symbol for trust.
## Detection
- Indicators of compromise: Unexpected execution of OS commands (e.g., Calculator opening) initiated by an IDE extension process.
- Detection methods and tools: Monitor network activity related to extension verification requests if inspecting the underlying mechanism. General endpoint detection and response (EDR) monitoring for unexpected process execution originating from IDE directories.
## References
- Vendor Advisory/Details: OX Security researchers Nir Zadok and Moshe Siman Tov Bustan report link: hxxps://www.ox.security/can-you-trust-that-verified-symbol-exploiting-ide-extensions-is-easier-than-it-should-be/
- Related Article: hxxps://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html