Hackers Target Developers Through Malicious VS Code and AI IDE Extensions

Hackers exploit VS Code with malicious extensions, risking developer credentials and major supply chain attacks.

By Content Team

Dec 8, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybersecurity researcher Mazin Ahmed discovered that attackers are exploiting VS Code and AI-powered IDEs like Cursor AI by publishing malicious extensions that bypass security screening. A fake Python linter called "Piithon-linter" successfully made it through Microsoft's marketplace security checks and could steal developer credentials and deploy remote access tools.

The malware activates automatically when VS Code launches, first checking for antivirus software before harvesting sensitive environment variables. It uses geofencing to avoid detection during Microsoft's sandbox testing and can target Windows, macOS, or Linux systems.

Most concerning is that OpenVSX marketplace, which powers Cursor AI, performs virtually no security verification. Since developers have access to source code, credentials, and production systems, these compromised extensions could lead to major supply chain attacks targeting entire organizations.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Chinese Hackers Turn Security Tool Against Defenders in Ransomware Attacks

Oct 11, 2025

Chrome Zero-Day Exploited by Commercial Spyware in Nation-State Attacks

Oct 28, 2025

Hackers Are Using AI to Create Smarter, Harder-to-Detect Malware

Nov 27, 2025

OT Cybersecurity Culture Gap Widens as Organizations Struggle with Emerging Threats

Nov 30, 2025