A significant security flaw has emerged in popular AI-integrated development environments (IDEs) like Cursor, Windsurf, and Google Antigravity. These tools, with millions of users, inherit a configuration file from VSCode that includes hardcoded recommendations for extensions. However, since they can’t access Microsoft’s extension marketplace, they rely on OpenVSX, which lacks many of the recommended extensions. This creates a vulnerability: anyone can register unclaimed namespaces and upload malicious extensions, misleading users who trust their IDE’s suggestions. The authors of the article took proactive measures by claiming vulnerable namespaces themselves, uploading placeholder extensions that clearly state they are not functional. They secured several namespaces tied to common development tools, preventing attackers from exploiting these vulnerabilities. Despite their efforts, Google initially dismissed reports of the vulnerability but later acknowledged the issue after further clarification. Cursor responded promptly and fixed the problem, while Windsurf did not respond at all. The article highlights the broader implications of extension marketplaces as potential weak points in the software supply chain. The authors emphasize the need for vigilance against these threats, noting that traditional security measures often fall short. Their company, Koi, has developed a risk engine designed to monitor the behavior of extensions during installation, helping organizations detect malicious activity that might not be obvious from the code itself.