Researchers uncover flaw in Open VSX Registry, exposing developer extensions to takeover

Open VSX has faced a security flaw impacting automated extension publishing. (Photo: Zakharchuk/Shutterstock)

Cybersecurity researchers have discovered a flaw in the Open VSX Registry that could have enabled full control over the extensions ecosystem used by more than eight million developers. The issue remained unpatched until 25 June 2025. The vulnerability, disclosed by Koi Security on 4 May 2025, affected the platform’s automated publishing infrastructure and placed numerous code editors and developer environments at risk.

Open VSX, maintained by the Eclipse Foundation, functions as a vendor-neutral alternative to Microsoft’s Visual Studio Marketplace. It supports VS Code forks including Cursor, Windsurf, Gitpod, and VSCodium. These platforms depend on Open VSX for distributing and updating extensions. “This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines,” according to Koi Security researcher Oren Yomtov.

Automated workflow leaked privileged token used in publishing VS Code extensions

The security flaw was located in the continuous integration workflow used to publish extensions listed in the extensions.json file of the Open VSX publish-extensions repository. This GitHub Actions workflow executes daily at 03:03 UTC, clones extension repositories, installs dependencies using npm, and publishes updates via the vsce utility.

During this process, the environment exposes a sensitive authentication token, OVSX_PAT, linked to the @open-vsx service account. This token allows the account to publish or overwrite any extension. “This workflow runs with privileged credentials including a secret token (OVSX_PAT) of the @open-vsx service account that has the power to publish (or overwrite) any extension in the marketplace,” explained Yomtov.

The issue arose because npm install executes user-defined build scripts, including those of any dependencies. These scripts had access to the same environment where the privileged token resided.

If exploited, the token could be extracted and used to upload malicious versions of any extension in the registry. Since updates are typically fetched in the background, developers would not be aware of any tampering. Given the privileges held by extensions within environments like VS Code, attackers could gain access to sensitive files, network interfaces, or execute arbitrary code.

“Every marketplace item is a potential backdoor,” Yomtov said. “They’re unvetted software dependencies with privileged access, and they deserve the same diligence as any package from PyPI, npm, Hugginface, or GitHub.”

The threat posed by integrated development environment (IDE) extensions has been acknowledged more broadly. In April 2025, MITRE added “IDE Extensions” to its ATT&CK framework, identifying them as a technique for establishing persistent access via development environments.

Following the disclosure, the Eclipse Foundation implemented several mitigation measures, concluding with a final patch earlier this week. The changes modified the workflow to prevent unauthorised access to the publishing token during builds.

Read more: ASF releases patches for critical Apache Tomcat vulnerabilities