Popular development environments like Cursor and Google Antigravity are vulnerable to a specific type of cyberattack via "recommended extensions."
The Vulnerability
Because these IDEs are based on VS Code but are not official Microsoft products, they cannot access the official Visual Studio Marketplace. Instead, they use the open-source alternative, OpenVSX.
The security risk arises because these IDEs often inherit "recommended plugin" lists from the official store. When a popular extension is missing from OpenVSX, attackers can publish malicious versions using the exact same name to trick users into installing them.
Mitigation and Safety Tips
While Google and Cursor have already implemented mitigations to address this issue, users should remain vigilant. To stay safe:
- Verify Maintainers: Always check if the extension developer on OpenVSX is the official creator.
- Check Downloads: Look for discrepancies in download counts compared to the official Marketplace.
- Manual Verification: Before installing a suggested plugin, ensure it is the legitimate version.
Always prioritize verified publishers to protect your development environment from malicious code.
