Researchers in cybersecurity have uncovered a serious vulnerability in the Open VSX Registry, which could allow attackers to hijack the entire Visual Studio Code extensions marketplace, creating a significant supply chain risk. The flaw was reported by Koi Security’s Oren Yomtov, who stated that it could enable an attacker to publish malicious updates to any extension hosted on Open VSX. Following responsible disclosure of the issue on May 4, 2025, the maintainers implemented a series of fixes, with the final patch being applied on June 25, 2025.
The Open VSX Registry serves as an alternative to the Visual Studio Marketplace and is managed by the Eclipse Foundation. Various code editors, including Cursor and Gitpod, integrate this registry into their services. The widespread use of the Open VSX Registry raises alarms as a potential target for supply chain attacks; every time an extension is installed or updated, these transactions go through this registry.
The vulnerability lies in the repository that publishes extensions, where a GitHub Actions workflow, executed with privileged credentials, is responsible for publishing these extensions. The issue arises from how npm, the package manager, executes build scripts of auto-published extensions and their dependencies, enabling access to sensitive credentials for the OVSX service account. This access could let a malicious actor publish harmful extensions or alter existing ones to inject malicious code.
The implications of this vulnerability have drawn attention from MITRE, which recently introduced an "IDE Extensions" technique in its ATT&CK framework, highlighting the risks posed by extensions that could be manipulated by attackers for persistent access to systems. The final message from Yomtov emphasizes that every item in a marketplace could serve as a backdoor, representing unprotected software dependencies that deserve scrutiny similar to established package managers like npm or PyPI. If left unchecked, these vulnerabilities present an enticing and expanding attack surface for cyber threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.