Computer security experts have just uncovered a nightmare scenario for programmers: four of the most famous tools used inside Microsoft VS Code are wide open to hackers. These tools, which developers add to their software to make coding easier, have been downloaded over 125 million times. This means millions of workstations are currently sitting ducks for digital thieves who want to steal private files or take over entire company networks.

Researchers from OX Security, Moshe Siman Tov Bustan and Nir Zadok, have warned that it doesn’t take a massive high-tech assault to bring a company to its knees. A single weak link in just one extension is all a hacker needs to get their foot in the door. Once they are in, they can move through a company’s private systems like a ghost, grabbing everything from trade secrets to personal data.

The Specific Holes in Your Defense

The first major danger involves a tool called Live Server. Identified as CVE-2025-65717, this flaw is particularly scary because it is still not fixed. If you have this extension running, a hacker only needs to trick you into clicking a link to a shady website. Once you’re there, hidden code on that site can secretly reach back into your computer through a “local” connection that the extension leaves open. It essentially turns your own coding tool into a vacuum that sucks up your private files and sends them straight to the attacker.

Then there is Markdown Preview Enhanced, labeled as CVE-2025-65716. This one is also still broken and dangerous. In this case, a hacker can send you a specially rigged document that looks like a normal text file. If you open it, the extension accidentally runs hidden computer code that can spy on your internet connection and ship your data off to a foreign server. Because many people trust these preview tools, they never suspect that a simple document could be a trap.

The third threat, CVE-2025-65715, targets the Code Runner extension. This vulnerability relies on tricking people into changing their software settings. Using clever lies or “phishing” emails, hackers convince developers to copy and paste specific lines into their configuration files. Once that happens, the hacker gains the power to run any command they want on the victim’s machine. Like the others, this remains unpatched and active.

Finally, a fourth hole was found in Microsoft Live Preview. Similar to the Live Server issue, it allowed bad actors to sneak into a developer’s local files through a malicious website. While Microsoft quietly fixed this in version 0.4.16 back in September 2025, anyone who hasn’t updated is still in the line of fire.

Why Your Laptop Is a Gateway for Hackers

The core of the problem is that many of these extensions are written with poor security standards or ask for way too much permission to access your system. When an extension is “overly permissive,” it has the keys to the kingdom, meaning it can read, write, and delete files just like you can. If a hacker hijacks that extension, they basically become the owner of your computer.

Experts say that leaving these vulnerable tools on your machine is like leaving your front door wide open in a bad neighborhood. It might only take one wrong click on a website or one downloaded folder from a stranger to lose everything. The threat isn’t just to the individual programmer; it’s to the entire organization they work for.

How to Protect Your Code and Your Company

To stop these attacks, you need to change how you handle your coding environment. Don’t just install every shiny new tool you see. If you don’t absolutely need an extension to get your job done, get rid of it. You should also be extremely careful about changing your software settings based on advice from the internet or strange emails.

Hardware and software firewalls are also vital. By tightening your network settings, you can block the “outbound” signals that hackers use to steal your data. Most importantly, you must turn off these local servers when you aren’t actively using them. If the door isn’t open, the hacker can’t walk through it. Staying safe requires a mix of constant updates and a healthy dose of suspicion whenever you’re asked to click a link or download a file.