Unverified extensions security issue

user209 · July 7, 2025, 6:26am

Describe the Bug

Currently there is no easy way to identify unverified extensions in cursor. There should be at least a warning.

Steps to Reproduce

As an example, there is a credentials grabber malware disguised as a popular VS Code extension with more than 1.8 million downloads on the VS Code Marketplace. On Open VSX, it shows 2 million downloads, while the original extension has only 64,000 downloads. Since unverified publishers appear identical to verified ones in the extensions UI, we’re just one click away from getting recked.

Expected Behavior

A clear warning must be displayed to indicate that the extension is unverified.

Screenshots / Screen Recordings

Operating System

All

Current Cursor Version (Menu → About Cursor → Copy)

All version are affected.

Does this stop you from using Cursor

No - Cursor works, but with this issue

condor · July 7, 2025, 6:28am

Hi @user209 and welcome to the Cursor Forum.

Thank you for the report. I would suggest contacting openVSX directly as they operate the marketplace.

user209 · July 7, 2025, 6:35am

OpenVSX was notified before registering the bug. But it does not solve the problem in general case.

condor · July 7, 2025, 7:28am

Great, could you elaborate please on the ‘general case’?
Looking at Marketplace as a VSCode feature and in this case operated by OpenVSX.

system · July 29, 2025, 7:29am

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cursor Extensions Marketplace security (Open VSX) Discussions	0	98	August 3, 2025
Extension publisher verified on OpenVSX not showing as such in Cursor Bug Reports	7	90	September 9, 2025
My VS Code extension is not showing up Bug Reports	3	777	December 31, 2024
Output of `cursor --list-extensions` or `code --list-extensions` is incomplete, and seems off in one other way Bug Reports	0	771	March 31, 2024
Unable to login via cursor Bug Reports	1	266	January 9, 2024