The Eclipse Foundation, which manages the Open VSX Registry, announced plans to conduct security checks before Microsoft Visual Studio Code (VS Code) extensions are published to open source repositories to combat supply chain threats.
This move marks a shift from a reactive to a proactive approach to ensuring that malicious extensions are not published to the Open VSX registry.
“Until now, the Open VSX Registry has relied primarily on post-publication response and investigation. When malicious extensions are reported, we investigate and remove them,” said Christopher Guindon, director of software development at the Eclipse Foundation.
“While this approach remains relevant and necessary, it does not scale as the volume of publications increases and threat models evolve.”
This change comes as open source package registries and extension marketplaces are increasingly targeted by attacks, allowing malicious parties to target developers at scale through a variety of methods, including namespace spoofing and typosquatting. Just last week, Socket reported an incident where a compromised publisher account was used to push harmful updates.
By implementing pre-publication checks, we aim to limit the scope of publication, flag the following scenarios, and isolate suspicious uploads for review rather than publishing them immediately.
Clear case of extension name or namespace spoofing Accidentally exposed credentials or secrets Known malicious patterns
It’s worth noting that Microsoft has already implemented a similar multi-step review process for Visual Studio Marketplace. This includes scanning incoming packages for malware, rescanning all newly published packages immediately after publication, and periodically rescanning all packages in bulk.
The Extension Validation Program will be rolled out in stages, with maintainers using February 2026 to monitor newly published extensions without blocking publication, fine-tune the system, reduce false positives, and improve feedback. Enforcement will begin next month.
“The goal and objective is to raise the security floor, help publishers catch issues early, and keep the experience predictable and fair for honest publishers,” Guindon said.
“Pre-publishing checks reduce the chance of obviously malicious or insecure extensions entering the ecosystem and increases trust in the Open VSX Registry as a shared infrastructure.”
Source link
