In a stark reminder that convenience often comes with a cost, cybersecurity researchers have uncovered a series of serious security flaws in four of the most popular extensions for Microsoft’s Visual Studio Code (VS Code) — the code editor used by millions of developers worldwide.
The vulnerabilities, disclosed recently by OX Security, affect extensions such as Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — tools that collectively have been installed well over 125 million times from the official marketplace.
At first glance, these add-ons seem benign — helping developers preview HTML, run code without switching contexts, or simply enjoy enhanced editing experiences. But beneath those helpful features lurked potential security nightmares: weaknesses that could allow a remote attacker to steal local files, execute arbitrary code, or even reconnaissance a developer’s machine and local network.
Perhaps most worrying is how insidiously these flaws could be triggered. In the case of Live Server, a tool that launches a local development web server, the vulnerability meant that a malicious web page could trick a developer’s browser into talking to the server running in the background — creating a stealthy window for attackers to exploit.
Similarly, Code Runner, used by millions to quickly execute snippets in various languages, contained a high-severity issue that could allow a crafted configuration or “settings.json” entry to trigger remote code execution. Even simply opening a maliciously composed Markdown file in Markdown Preview Enhanced could be enough to kick off high-risk behaviors.
Compounding the problem, OX Security says that three of the four maintainers failed to respond to responsible disclosure attempts made as early as June 2025 — leaving the flaws unpatched for months before they were publicly disclosed.
For developers — especially those working on sensitive projects or within large organizations — the implications are serious. Developer machines often contain API keys, cloud credentials, SSH keys, and other sensitive secrets. A compromised extension could become a foothold from which attackers pivot deeper into corporate networks.
The good news? Patched versions are now available, and experts urge developers to remove unused extensions, update immediately, and be cautious about opening untrusted files while local servers are running. But the incident also raises broader questions about the security of extension ecosystems and how widely trusted tools are vetted and maintained.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
