A critical vulnerability in Open VSX Registry (open-vsx.org) could have allowed attackers to compromise millions of developers through malicious extension updates.
The flaw, discovered by Koi Security researchers, impacted popular VS Code forks like Cursor, Windsurf, and VSCodium, used by over 8 million developers globally.
By exploiting a GitHub Actions misconfiguration, attackers could steal privileged credentials and publish malicious updates to any extension in the marketplace.
GitHub Actions Workflow Flaw Enabled Full Takeover
The vulnerability resided in Open VSX’s auto-publishing mechanism.
When developers submitted extensions via extensions.json, a nightly GitHub Actions workflow processed them using the @open-vsx service account’s high-privilege token (OVSX_PAT).
The workflow executed npm install during builds, exposing the token to extension dependencies’ arbitrary scripts.
Attackers could exfiltrate the token by embedding malicious code in an extension’s dependencies. Once compromised, the token granted full control to:
- Publish new malicious extensions
- Overwrite existing extensions with backdoored updates
- Silently deploy malware to developer environments via auto-updates
The workflow code lacked safeguards against environment variable leakage:
text- name: Publish extension
run: |
npm install
npx ovsx publish -p ${{ secrets.OVSX_PAT }}
This allowed dependency scripts to access OVSX_PAT during npm install.
Supply Chain Impact Across Development Ecosystem
Compromised extensions could execute arbitrary code with user privileges, enabling:
- Keylogging and credential theft
- Source code exfiltration
- Backdoor implantation in projects
- CI/CD pipeline compromise
Affected platforms included:
| Platform | Estimated Users |
|---|---|
| Cursor | 1,000,000+ |
| Gitpod | 1,500,000+ |
| Google Cloud Shell | 100,000+ |
| VSCodium | 300,000+ |
The risk extended beyond local machines to web-based IDEs like GitLab Web IDE and StackBlitz.
Mitigation and Ongoing Supply Chain Risks
Following responsible disclosure on May 4, 2025, Open VSX maintainers deployed six rounds of fixes before patching the vulnerability on June 25.
The solution involved isolating token access during builds.
This incident highlights critical supply chain lessons:
- Zero-trust extension governance: All marketplace items should be treated as untrusted code
- CI/CD hardening: Build pipelines must sandbox secrets and limit script execution
- Continuous monitoring: Organizations need real-time detection for malicious extension updates
MITRE recently added “IDE Extensions” (T1574.009) to its ATT&CK framework, acknowledging this emerging threat vector.
Developers should audit installed extensions and enforce strict marketplace policies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, discovered by Koi Security researchers, impacted popular VS Code forks like Cursor, Windsurf, and VSCodium, used by over 8 million developers globally.){kind=link}