VSCode and Cursor IDE were exploited as supply chain delivery vectors in the UNC4736 Drift Protocol heist, with poisoned code repositories and malicious extensions used to compromise developer workstations and harvest credentials and key material. No CVE is associated; the attack exploited the absence of extension vetting controls and the trust developers place in community-sourced tooling. Organizations should audit installed IDE extensions for unverified publishers, monitor IDE extension host processes for anomalous outbound network activity and credential store access, and enforce an approved extension list for developers with access to sensitive infrastructure.