"The Eclipse Foundation, which maintains the Open VSX Registry, has announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open-source repository to combat supply chain threats. The move marks a shift from a reactive to a proactive approach to ensure that malicious extensions don't end up getting published on the Open VSX Registry."
""Up to now, the Open VSX Registry has relied primarily on post-publication response and investigation. When a bad extension is reported, we investigate and remove it," Christopher Guindon, director of software development at the Eclipse Foundation, said. "While this approach remains relevant and necessary, it does not scale as publication volume increases and threat models evolve.""
"By implementing pre-publish checks, the idea is to limit the window of exposure and flag the following scenarios, as well as quarantine suspicious uploads for review instead of publishing them immediately - Clear cases of extension name or namespace impersonation Accidentally published credentials or secrets Known malicious patterns"
The Eclipse Foundation will enforce pre-publish security checks for Visual Studio Code extensions uploaded to the Open VSX Registry to reduce supply chain threats. The change shifts defenses from reactive post-publication removal to proactive vetting designed to prevent malicious extensions from being published. Pre-publish checks will detect extension name or namespace impersonation, accidentally published credentials or secrets, and known malicious patterns, and will quarantine suspicious uploads for manual review. The move responds to rising attacks on registries, including typosquatting and compromised publisher accounts used to push poisoned updates. The verification program will roll out in stages with monitoring planned in February 2026.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]