Can You Trust that Verified Symbol? Exploiting IDE Extensions is Easier Than it Should Be

TL;DR

Investigated IDEs: Visual Studio Code (VSCode), Visual Studio, IntelliJ IDEA, and Cursor
Flaw: Ability to create files that maintain verified symbols while adding malicious functionality
Exploit: Allows malicious extensions to appear verified while containing code capable of executing operating system commands

Reported to: Microsoft, JetBrains, Cursor

Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification.

IDEs typically include basic built-in functionality, but their capabilities extend through a wide range of third-party extensions available on marketplaces and external websites. This means that any risk in the IDE could result in far-reaching consequences.

To read the complete article see:
Full Article