June 27, 2025 By Pierluigi Paganini
A critical flaw in Open VSX Registry could let attackers hijack the VS Code extension hub, exposing millions of developers to supply chain attacks.
Cybersecurity researchers at Koi Security discovered a critical vulnerability in the Open VSX Registry (open-vsx.org) that could have let attackers take over the Visual Studio Code extensions marketplace, endangering millions of developers through potential supply chain attacks.
open-vsx.org is the open-source is an open-source extension registry maintained by the Eclipse Foundation. It serves as a community-driven alternative to Microsoft’s proprietary Visual Studio Code Marketplace. Open VSX allows developers and organizations to publish, discover, and use extensions for VS Code-compatible editors (like Eclipse Theia or Gitpod) without being tied to Microsoft’s licensing.
The Open VSX Registry is used by over 8,000,000 developers.
