A critical security vulnerability has been discovered in popular Integrated Development Environments (IDEs) that allows malicious actors to bypass trust verification systems and execute code on developer machines while maintaining the appearance of legitimate, verified extensions. The vulnerability enables attackers to create malicious extensions that retain verified symbols and trusted publisher information while secretly containing code capable of executing operating system commands. Researchers discovered that by modifying specific values within the extension’s bundled files, particularly the package.json and extension.js files, attackers can maintain the verified appearance while introducing malicious code. The vulnerability’s impact extends beyond simple code execution, as successful exploitation provides attackers with access to the developer’s complete working environment, including source code, development databases, API keys, and deployment credentials. The flaw affects some of the most widely used development platforms including Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor, potentially exposing millions of developers worldwide to sophisticated supply chain attacks. OX Security analysts identified the specific mechanism through which these trust checks can be circumvented, demonstrating how extensions can be packaged into VSIX files and distributed through platforms like GitHub while appearing completely legitimate to end users. Research conducted between May and June 2025 revealed that attackers can modify extension files to maintain verified status while injecting malicious functionality. Attackers begin by analyzing legitimate verified extensions to extract their publisher information, extension IDs, and verification tokens. This positions the attack as a particularly dangerous vector for supply chain compromises, where malicious code could be introduced into software projects and subsequently distributed to end users. They then create malicious extensions using these extracted credentials, effectively impersonating trusted publishers while injecting harmful code. The corresponding extension.js file contains JavaScript code that executes system commands when activated, such as launching the calculator application as a demonstration of arbitrary code execution capabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Jul 2025 03:10:16 +0000