06/25/2025-07/02/2025 New Flaw in IDEs Like Visual Studio Code, Flaw in Open VSX Registry, Critical Flaws in ISE and ISE-PIC And More.

1. New Flaw in IDEs Like Visual Studio Code Lets Malicious Extensions Bypass Verified Status

A new study revealed vulnerabilities in popular IDEs like Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor that let attackers run malicious code on developer machines by exploiting flaws in extension verification. Researchers from OX Security found that Visual Studio Code’s verification process can be bypassed by creating malicious extensions mimicking verified ones, making them appear trustworthy while executing harmful OS commands. This abuse of extension sideloading allows rogue plugins distributed outside official marketplaces to appear legitimate, posing a serious risk in development environments with sensitive data.

The team demonstrated a proof-of-concept where a malicious extension opened the Calculator app on Windows. Similar flaws were found in IntelliJ IDEA and Cursor by altering verification values without losing the verified status.

Microsoft claims this is by design and has signature verification to block such extensions from the Marketplace, but the flaw was still exploitable as of June 2025.

2. Researchers Uncover Flaw in Open VSX Registry, Exposing Developer Extensions to Takeover

Cybersecurity researchers discovered a flaw in the Open VSX Registry that risked control over its extensions ecosystem used by over eight million developers. The vulnerability, disclosed by Koi Security on May 4, 2025, remained unpatched until June 25, 2025.

Open VSX, managed by the Eclipse Foundation, supports VS Code forks like Cursor and VSCodium. The flaw was in its automated publishing workflow, where a privileged token (OVSX_PAT) used to publish extensions was exposed during npm installs, allowing attackers to extract it by running malicious build scripts.
With this token, attackers could overwrite any extension with malicious code, potentially compromising developer machines without detection since updates run silently in the background. Given extensions’ deep access to environments, this posed a serious security risk. After disclosure, the Eclipse Foundation patched the issue, securing the publishing process to prevent token exposure during builds. This incident highlights the critical need for strict security in extension marketplaces.

3. Critical Vulnerability in Anthropic’s MCP Exposes Developer Machines to Remote Exploits

Cybersecurity researchers have uncovered a critical vulnerability (CVE-2025-49596, CVSS 9.4) in Anthropic’s Model Context Protocol (MCP) Inspector that allows remote code execution (RCE), giving attackers full access to affected machines. The flaw stems from insecure default settings, such as lack of authentication and encryption, exposing local servers to browser-based attacks. By exploiting a legacy browser vulnerability known as “0.0.0.0 Day” and chaining it with a CSRF flaw, a malicious website can trigger arbitrary code execution on a developer’s machine. The issue was patched in version 0.14.1 with added authentication and origin checks. Despite being a reference tool not meant for production, MCP Inspector has been widely adopted and forked over 5,000 times. Security experts warn that such misconfigurations create major risks for developers, especially in public networks, and stress the need for stricter AI rules to guard against prompt injection and context poisoning in agent workflows.

 

4. Chinese Group Silver Fox Uses Fake Websites to Deliver Sainbox RAT and Hidden Rootkit

A new campaign uses fake websites advertising popular software like WPS Office and Sogou to deliver the Sainbox RAT and an open-source Hidden rootkit. This activity is linked with medium confidence to the Chinese hacking group Silver Fox (aka Void Arachne), based on similarities to their previous campaigns. The phishing sites, such as “wpsice[.]com,” distribute malicious MSI installers in Chinese, targeting Chinese-speaking users. The malware includes Sainbox RAT—a Gh0st RAT variant—and the Hidden rootkit.The installers launch a legitimate executable that sideloads a rogue DLL to execute shellcode and deploy Sainbox. The embedded rootkit helps hide malware processes and registry keys.

Silver Fox has used similar tactics before, including campaigns in 2024 delivering Gh0st RAT variants like ValleyRAT. Using commodity RATs and open-source rootkits lets attackers maintain control and stealth with minimal custom coding.

5. Cisco Patches Critical Flaws in ISE and ISE-PIC That Allow Root Access

Cisco has released urgent patches for two critical vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), rated CVSS 10.0. These flaws, CVE-2025-20281 and CVE-2025-20282, allow attackers to gain root access without credentials, risking full system compromise.

CVE-2025-20281 affects ISE and ISE-PIC versions 3.3 and later, enabling remote root command execution via a vulnerable API. CVE-2025-20282 impacts version 3.4, letting attackers upload and execute malicious files with root privileges.
Both flaws affect all deployments of versions 3.3 and 3.4, with no workarounds available—only software patches fix the issue. Cisco urges immediate patching, noting no known exploitation yet but highlighting the high risk.

Discovered via Trend Micro’s Zero Day Initiative, these vulnerabilities stress the importance of securing API endpoints and applying timely updates to protect critical identity management systems.