Researchers report flaw in Open VSX Registry that can compromise VS Code extensions marketplace
Take action: When designing your CI/CD system, review what code will it run and whether it will expose your API keys and other secrets to untrusted third party code that may be malicious. If your CI/CD will run such code, consider levels of isolation or use API keys that are for that session only with limited permissions. Yes, this is very difficult, but it's part of the complexity of running any code from anyone.
Learn More
Cybersecurity researchers are reporting a vulnerability in the Open VSX Registry that could have enabled attackers to take complete control of the Visual Studio Code extensions marketplace. Exploiting this flaw is a nightmare scenario for the software development ecosystem, as it could have allowed malicious actors to silently distribute backdoored updates to developer environments.
Open VSX serves as a vendor-neutral alternative to Microsoft's proprietary Visual Studio Marketplace and has become the primary extension distribution platform for numerous popular VS Code forks and cloud-based development environments like Cursor, Windsurf, VSCodium, Gitpod, Google Cloud Shell Editor, StackBlitz, Eclipse Theia, and others.
The vulnerability is tracked as CVE-2025-6705 (CVSS score 7.8) and affects Open VSX Registry (open-vsx.org), an open-source marketplace for Visual Studio Code extensions maintained by the Eclipse Foundation. The vulnerability is caused by Open VSX's automated extension publishing mechanism, within the publish-extensions repository's GitHub Actions workflow.
When developers submit extensions for auto-publishing by adding them to the extensions.json file through pull requests, a nightly GitHub Actions workflow would process these submissions using a high-privilege token (OVSX_PAT) belonging to the @open-vsx service account. This token possessed the power to publish or overwrite any extension in the marketplace.
The workflow's execution of npm install during the build process, runs arbitrary build scripts from all auto-published extensions and their dependencies while providing them access to the OVSX_PAT environment variable. This design weakness allowed malicious actors to potentially exfiltrate the super-admin token by embedding malicious code in an extension's dependencies, effectively granting them complete control over the marketplace infrastructure.
"This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines," explained Oren Yomtov of Koi security. "By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX." The researcher emphasized that every marketplace item represents a potential backdoor, describing them as unvetted software dependencies with privileged access that deserve the same security diligence as packages from PyPI, npm, or GitHub.
Once compromised, attackers could have leveraged this access to publish new malicious extensions, tamper with existing extensions by inserting backdoors, and silently deploy malware to developer environments through automatic updates.
The risk posed by IDE extensions has gained recognition from security authorities, with MITRE introducing a new "IDE Extensions" technique (T1574.009) to its ATT&CK framework in April 2025.
Following responsible disclosure on May 4, 2025, the Eclipse Foundation Security Team immediately contacted the Open VSX team to begin remediation efforts. After six rounds of proposed fixes and extensive validation, the vulnerability was successfully patched on June 25, 2025. The solution involved isolating token access during builds to prevent unauthorized exposure to extension dependencies.
