Cybersecurity researchers have identified a significant vulnerability in the Open VSX Registry that allows attackers potential control over the VS Code extensions marketplace. This poses a severe risk as developers depend on this repository for extension updates. Koi Security highlighted that exploiting this flaw could enable malicious updates to be pushed to numerous developer machines, effectively compromising their systems. Prompt disclosure led to the implementation of fixes, underscoring the importance of security in software development practices.
This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines, Koi Security researcher Oren Yomtov said.
This widespread adoption means that a compromise of Open VSX is a supply-chain nightmare scenario.
Following responsible disclosure on May 4, 2025, the multiple rounds of fixes were proposed by the maintainers, before it was finally deployed on June 25.
By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX.
Collection
[
|
...
]