Zero-Day Vulnerability Could Have Compromised Millions of Cursor and Windsurf Users

AI-powered coding assistants rely on extensions for functionality, but these extensions run with full privileges on developers' machines, creating a potential security risk. The vulnerability in OpenVSX allowed attackers to capture a powerful secret token and control the entire marketplace. This would enable them to publish malicious updates, overwrite existing ones, and silently hijack the environment.

The risk highlights the importance of treating extensions as part of an organization's attack surface and applying security measures such as maintaining an inventory of installed extensions, assessing risk based on the extension's origin and behavior, enforcing clear policies, and continuously monitoring for new risks. Organizations should adopt a zero-trust approach, assuming that every extension is untrusted until proven otherwise.

OpenVSX is an open-source marketplace that powers extensions for tools like Cursor, Windsurf, and VSCodium.

The vulnerability allowed attackers to gain control over the OpenVSX marketplace by exploiting a flaw in the automated build process.

Attackers could have published malicious updates, overwritten existing extensions, and hijacked the entire marketplace, potentially compromising millions of developers' machines.

Koi Security responsibly disclosed the vulnerability to the Eclipse Foundation, which maintains the OpenVSX project. They worked together to validate the issue, design a fix, and deploy the patch.

Do you think developers are aware enough of the risks associated with extensions? Share this article with others who need to stay ahead of this trend!