Safeguard
AI Security

Securing AI coding IDE extensions and plugins

VS Code themes with 9M installs shipped backdoors; Cursor's rules files were hijacked in 2025. Here's what AI IDE extension security actually requires.

Nayan Dey
Security Researcher
6 min read

In March 2023, Microsoft pulled two Visual Studio Code themes — Material Theme and Material Theme Icons — from its marketplace after ReversingLabs found obfuscated code phoning home to a suspicious remote endpoint. The two extensions had a combined install base of roughly 9 million. Two years later the threat moved up the stack: in March 2025, Pillar Security disclosed the "Rules File Backdoor," a technique for planting hidden instructions inside .cursorrules and .github/copilot-instructions.md files so that Cursor and GitHub Copilot silently generate backdoored code on a developer's behalf. AI coding IDEs — Cursor, Windsurf, Trae, VS Code with Copilot — now sit at the center of the software supply chain: they read entire repositories, execute terminal commands, and install extensions from marketplaces that were never built to withstand this level of trust. Securing that surface means treating IDE extensions as first-class software dependencies, not developer conveniences.

Why do AI coding IDE extensions carry more risk than traditional plugins?

AI coding IDE extensions carry more risk because they combine three privileges older plugins rarely held together — full filesystem read/write, terminal execution, and outbound network access — and an LLM decides when to invoke them, not a human clicking a menu item. VS Code's extension host runs extensions in the same process as the editor with no sandbox: an installed extension has the same file access as the logged-in user, full stop. Cursor and Windsurf forked that architecture and layered "agent mode" on top, where the assistant can run shell commands and the developer's only control is an "Allow" / "Allow and don't ask again" dialog that gets clicked hundreds of times a day. Extensions like Continue.dev, Cline, and Roo Code add their own dependency trees on top of that — meaning a compromised transitive npm package inside the extension itself becomes a compromise of every repo it touches. A malicious browser extension can steal cookies; a malicious IDE extension can rewrite your source code, exfiltrate your .env file, and commit on your behalf.

What real-world incidents have already exploited this attack surface?

Real-world incidents already span theming extensions, registry trust gaps, and the AI assistants themselves. The Material Theme case (March 2023, ~9 million combined installs) showed that even a purely cosmetic extension can carry a remote-callback backdoor for years before detection. In 2024, researchers at ExtensionTotal documented that Open VSX — the open-source registry that Cursor, Windsurf, VSCodium, and Gitpod use instead of Microsoft's marketplace — allowed namespace squatting: popular publisher names could be claimed by unrelated parties because Open VSX enforced far lighter verification than Microsoft's marketplace. Then in March 2025, Pillar Security's "Rules File Backdoor" disclosure showed the attack had moved from the extension layer to the AI layer itself, manipulating Cursor and GitHub Copilot's own code-generation behavior rather than shipping a traditional malicious payload. Each incident sat in a different layer of the stack — theme, registry, model context — which is exactly why point-in-time extension reviews miss so much.

How does a single malicious rules file compromise an entire codebase?

A single malicious rules file compromises a codebase because AI IDEs treat files like .cursorrules, .clinerules, and copilot-instructions.md as trusted, always-on system context that silently steers every subsequent suggestion the assistant makes. In Pillar Security's proof of concept, attackers embedded invisible Unicode characters and natural-language instructions inside a rules file — content a developer reviewing the diff would likely skim past or not even render — that told the model to insert hidden script tags or omit input validation whenever it touched HTML or auth code. Because the file is often introduced through a shared template repo, a forked starter project, or a single poisoned pull request, one compromised file can taint every feature branch that inherits it, and the backdoor reappears in AI-suggested code long after the original file is forgotten. Traditional code review catches a suspicious function; it is not built to catch a config file that quietly reprograms the reviewer's assistant.

Can you trust the "verified" checkmark on a marketplace listing?

No — a verified badge confirms domain ownership, not code safety. ExtensionTotal's 2024 research on the VS Code Marketplace showed that verification checks whether a publisher controls a claimed web domain, and that install counts and ratings — the signals developers actually use to judge trust — can be inflated or gamed with minimal friction. Microsoft does run automated scanning against known-malware signatures, but that scanning is signature-based and retrospective: the Material Theme extensions passed it for roughly six months before ReversingLabs' manual analysis flagged them. Open VSX, which many AI-native IDEs default to, runs an even thinner review pipeline. The practical takeaway: a checkmark tells a developer that someone owns a URL, not that the 40,000 lines of minified JavaScript behind the "Install" button don't exfiltrate credentials.

What should a security team check before an AI IDE extension goes on developer laptops?

A security team should check five things before approving any AI IDE extension: publisher history and prior CVEs, the specific permissions requested (workspace trust level, filesystem scope, network egress), whether the source is open enough to diff against a known-good build, the update cadence and whether updates auto-install without review, and whether the vendor publishes a software bill of materials for the extension's own dependency tree. In practice, most organizations check none of these — extensions get installed the way a browser bookmark does, by individual developers, with no central inventory of what's running across the fleet. That gap is the same one that let two theme extensions run unreviewed on 9 million machines: nobody owned the decision to allow them in the first place, so nobody was positioned to revoke it quickly when the behavior turned out to be malicious.

How Safeguard Helps

Safeguard treats AI IDE extensions and their dependency chains the same way it treats any other software component entering the SDLC: continuously inventoried, scored, and remediated. Griffin AI reviews extension manifests, requested permissions, and known publisher signals to flag risky installs before they spread across a developer fleet, while Safeguard's reachability analysis determines whether a vulnerable dependency bundled inside an extension is actually invoked in a way that matters — cutting through the noise of theoretical CVEs that never execute. SBOM generation and ingest give security teams a real-time inventory of every extension and transitive package running across engineering, closing the "nobody owned this decision" gap that let past incidents run for months. Where a fix is available, Safeguard opens an auto-fix pull request to pin a safe version or remove the offending dependency, so remediation doesn't wait for the next manual audit cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.