Security Flaws in Verified IDE Extensions Raise Software Supply Chain Concerns
Integrated development environments (IDEs) have become critical to modern software development, especially as organizations adopt generative AI to accelerate coding. Platforms like Visual Studio Code, Visual Studio, and IntelliJ IDEA allow developers to write, test, and deploy software faster by integrating tools and supporting thousands of third-party extensions.
However, as reported by Dark Reading, new research from application security firm OX Security has found that some of these widely trusted platforms carry risks, particularly in how they handle extension verification. As development teams increasingly rely on verified extensions from official marketplaces, attackers could exploit that trust to compromise software supply chains.
Verification Badges Offer a False Sense of Security
OX Security’s research found that verified extensions across multiple IDEs can be altered after approval while still maintaining their verification status. The researchers demonstrated this by submitting a benign extension to the Visual Studio Marketplace, gaining a verification badge, and then modifying it to include malicious functionality, all without losing its trusted label.
Similar verification bypasses were confirmed in other platforms, including IntelliJ IDEA and Cursor. By intercepting and modifying server-side verification requests, the researchers were able to maintain the appearance of legitimacy while injecting arbitrary code execution capabilities.
These vulnerabilities pose a significant threat to software supply chains. Developers often have privileged access to sensitive environments and systems, making them a high-value target. A single compromised extension could provide threat actors with a foothold into an organization’s codebase, enabling espionage, sabotage, or broader compromise.
Even basic attacks, such as silently reading source code or capturing credentials, can cause lasting damage, especially when executed from a verified and trusted source within the development workflow.
Vendor Responses Lack Urgency and Accountability
Despite the severity of the findings, the IDE vendors involved offered limited responses. Microsoft stated that the research did not meet its threshold for immediate servicing. Cursor acknowledged that it does not verify extension signatures at all, while JetBrains emphasized that the demonstrated attacks did not involve extensions from its official marketplace.
These responses suggest a lack of urgency in addressing an increasingly relevant attack vector, one that has already proven successful in related domains, such as malicious browser extensions and open-source package repositories.
Recommendations and Next Steps
OX Security is urging both vendors and organizations to take immediate action. Key recommendations include implementing multi-factor verification for extension signing, validating per-file hashes of extension contents, enforcing code-signing certificate verification, and avoiding reliance on verification badges alone.
In addition, we recommend implementing a DevSecOps program to embed security throughout the development lifecycle. While no single measure can eliminate the threat of malicious IDE extensions, DevSecOps helps mitigate the risk by enforcing secure development practices, validating third-party tools, and continuously monitoring for abnormal activity.
These findings highlight a broader need for security reforms in development tooling and a more proactive approach to software supply chain protection. As IDEs become more deeply integrated into enterprise environments, the risk posed by trusted but compromised components will only increase.