VS Code extension security vulnerabilities were discovered, compromising local machines and build/deployment systems through a developer's IDE. The extensions' servers, often used for previewing files or handling IPC, can be exploited to steal sensitive information like private keys or access production servers. The attack vector involves command injection vulnerabilities due to unsanitized input from the WebSocket client flowing to the openExternal VS Code API method. Popular extensions such as LaTeX Workshop and Open In Default Browser were found vulnerable to path traversal and other attacks. Remediation advice includes using secure dependencies, implementing security measures like checking Origin headers, and continuously monitoring for updates with tools like Snyk. The discovery highlights the risks of blindly installing IDE plugins and emphasizes the importance of continuous testing and fixing security issues in extensions.