Recommended‑extension namespace squatting

Forked IDEs that inherit hardcoded 'recommended extensions' but rely on alternate extension registries (e.g., OpenVSX) create an attack surface: adversaries can preemptively claim extension names and publish malicious packages that these IDEs will suggest to users. The flaw combines vendor forking, cross‑store incompatibility, and brittle default configs to scale compromise. — This reframes developer tooling defaults and alternative registries as a public‑interest cybersecurity problem requiring standards (signed recommendations, registry provenance, revocation) and regulation or industry coordination.