Pierluigi Paganini June 27, 2025

A critical flaw in Open VSX Registry could let attackers hijack the VS Code extension hub, exposing millions of developers to supply chain attacks.

Cybersecurity researchers at Koi Security discovered a critical vulnerability in the Open VSX Registry (open-vsx.org) that could have let attackers take over the Visual Studio Code extensions marketplace, endangering millions of developers through potential supply chain attacks.

open-vsx.org is the open-source is an open-source extension registry maintained by the Eclipse Foundation. It serves as a community-driven alternative to Microsoft’s proprietary Visual Studio Code Marketplace. Open VSX allows developers and organizations to publish, discover, and use extensions for VS Code-compatible editors (like Eclipse Theia or Gitpod) without being tied to Microsoft’s licensing.

The Open VSX Registry is used by over 8,000,000 developers.

“This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines.” reads the report published by Koi Security. “By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX. One bug. Full marketplace takeover. “

In May 2025, researchers found a flaw in Open VSX’s auto-publishing process. The expert explained that a nightly GitHub Actions workflow runs npm install on untrusted extension code, exposing a secret token (OVSX_PAT) with permission to publish or overwrite any extension.

“This workflow runs with privileged credentials including a secret token ( OVSX_PAT) of the @open-vsx service account that has the power to publish (or overwrite) any extension in the marketplace. In theory, only trusted code should ever see that token.” states the report.

Malicious code in build scripts could steal this token, allowing attackers to hijack the entire Open VSX marketplace and compromise the supply chain for millions of developers.

“The root of the vulnerability is that npm install runs the arbitrary build scripts of all the auto-published extensions, and their dependencies, while providing them with access to the OVSX_PAT environment variable.” continues the report. “We verified that we could indeed exfiltrate OVSX_PAT by exploiting the vulnerable workflow design by using this example repository.”

Attackers could steal the @open-vsx token to publish or modify extensions with malicious code. MITRE added “IDE Extensions” to its ATT&CK framework in April 2025, highlighting the risk of using extensions for persistent access.

The experts pointed out that it is a massive supply chain risk, similar to SolarWinds, affecting millions of developers through IDE auto-updates, especially in desktop editors like VS Code, VSCodium, and Cursor.

Below is the disclosure timeline:

• May 4, 3:18 PM: Vulnerability disclosed.
• May 5, 12:25 PM: Report acknowledged.
• May 5, 11:34 PM: First fix proposed.
• May 6, 10:23 AM: Fix reviewed by us.
• May 7, 4:47 PM: Second fix proposed.
• May 8, 1:41 PM: Fix reviewed by us.
• May 14, 2:18 PM: Third fix proposed.
• May 14, 3:22 PM: Fix reviewed by us.
• May 15, 4:23 PM: Forth fix proposed.
• May 15, 9:02 PM: Fix reviewed by us.
• May 19, 1:29 PM: Fifth fix proposed.
• May 19, 11:36 PM: Fix reviewed by us.
• May 21, 12:58 PM: Sixth fix proposed.
• May 22, 6:09 PM: Fix reviewed by us.
• June 25, 7:20 PM Fix deployed.

“The problem is universal: if it’s code, and it runs in your environment, it’s part of your attack surface.” concludes the report. “Every marketplace item is a potential backdoor. They’re unvetted software dependencies with privileged access, and they deserve the same diligence as any package from PyPI, npm, Hugginface, or GitHub. If left unchecked, they create a sprawling, invisible supply chain that attackers are increasingly exploiting.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Open VSX Registry)