Cursor and OpenVSX face extension hijacking risk
Trendyol's security team uncovered a live namespace-squatting attack abusing OpenVSX to hijack extensions in Cursor, VSCodium, Windsurf and other VS Code forks.
Trendyol's security operations and application security teams uncovered a serious supply-chain weakness affecting Cursor and other OpenVSX-backed VS Code forks. Because Microsoft's Marketplace and OpenVSX operate as separate trust roots, attackers can register abandoned or unclaimed publisher.extension identifiers on OpenVSX and have them silently installed and executed by any editor resolving that name — essentially the npm dependency-confusion problem moved into the IDE extension layer.
By diffing all ~129,000 Marketplace extensions against roughly 14,194 OpenVSX entries, researchers found 104,456 identifiers with no OpenVSX counterpart at all (free namespaces ripe for squatting), 1,078 registered under a different publisher, 924 pointing to mismatched source repositories, and 126 exact-identifier hijacks — including widely used packages like sumneko.lua and rust-lang.rust with millions of installs. The team also demonstrated how Cursor's process-tree environment variables, such as CURSOR_SPAWNED_BY_EXTENSION_ID, can be used to trace malicious extension behavior back to its source.
The report urges organizations to deploy an extension allowlist, enforce an auto-update cooldown, and adopt the detection techniques outlined in the research immediately. Real-world campaigns like GlassWorm confirm this attack surface is already being actively exploited, not merely theoretical.