128M Downloads: Four VSCode Extension Vulnerabilities
OX Security announced four vulnerable VSCode extensions February 17, 2026. These four extensions had been downloaded 128M times.
Two of the extensions were vulnerable to data exfiltration(Markdown Preview Enhanced, and Microsoft Live Preview), one contained an RCE vulnerability (Code Runner), and one had a remote file exfiltration vulnerability (LiveServer).
In their announcement, OX stated that none of the maintainers had responded to their disclosures six months ago. They say:
This cannot continue.
Several solutions exist to address this crisis:
- Mandatory security review processes before extensions are published to marketplaces, similar to app store vetting
- Automated vulnerability scanning using AI-powered security testing tools to analyze new extensions before they reach developers
- Enforceable response requirements for maintainers of popular extensions, including mandatory CVE issuance and patch timelines
It is imperative that developers
- regularly review and uninstall unused or old extensions (weekly)
- restrict local network access from dev machines, ensuring that dev machines access as little of the network as possible
- monitor settings.json files and similar configuration files for auto-executing code
- maintain backups of sensitive settings files