Significant Vulnerability in Open VSX Registry Poses Risk of Supply Chain Attacks for Millions of Developers

Cybersecurity researchers have identified a significant vulnerability in the Open VSX Registry (open-vsx.org), which, if successfully exploited, could allow attackers to gain control over the entire Visual Studio Code extensions marketplace. This situation presents a considerable supply chain risk.

This vulnerability would enable attackers to exert full control over the extensions marketplace, thereby compromising millions of developer environments. According to Koi Security researcher Oren Yomtov, “By exploiting a CI issue, a malicious actor could publish harmful updates to every extension on Open VSX.”

Following the responsible disclosure on May 4, 2025, multiple rounds of fixes were implemented by the maintainers, culminating in a final deployment on June 25.

The Open VSX Registry is an open-source alternative to the Visual Studio Marketplace and is maintained by the Eclipse Foundation. Numerous code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod, have integrated it into their platforms.

The extensive adoption of Open VSX highlights the potential catastrophe of a compromise. Each time an extension is installed or an update is fetched, these actions are routed through Open VSX. Yomtov remarked, “Every instance is a supply-chain nightmare scenario.”

The vulnerability uncovered by Koi Security originates from the publish-extensions repository, which comprises scripts for releasing open-source VS Code extensions to open-vsx.org. Developers can request automatic publication of their extensions by submitting a pull request to add their extension to the extensions.json file in the repository, which is subsequently approved and merged.

The backend process involves a GitHub Actions workflow that executes daily, taking as input a list of extensions from the JSON file and publishing them via the vsce npm package. Yomtov explained, “This workflow operates with privileged credentials, including a secret token (OVSX_PAT) from the @open-vsx service account, granting it the authority to publish or overwrite any extension in the marketplace. Trusted code should be the only entity that has access to this token.”

The vulnerability lies in the fact that npm install runs the arbitrary build scripts of all auto-published extensions and their dependencies while granting them access to the OVSX_PAT environment variable. Consequently, this enables unauthorized individuals to gain access to the @open-vsx account’s token, thereby allowing them to publish malicious extensions or modify existing ones to include harmful code.

This degree of risk associated with extensions has led MITRE to introduce a new “IDE Extensions” technique in its ATT&CK framework, effective April 2025. This poses a risk that malicious actors could leverage extensions to maintain persistent access to compromised systems.

Yomtov commented, “Every marketplace item is a potential backdoor. They are unvetted software dependencies with privileged access and require scrutiny equivalent to any package from PyPI, npm, Hugging Face, or GitHub. If not properly managed, they can cultivate a vast, invisible supply chain that attackers are increasingly targeting.”