The Eclipse Foundation, which manages the Open VSX Registry—a popular open-source repository for Visual Studio Code extensions—has announced a shift from reactive to proactive security measures by mandating pre-publish security checks for all extensions. Historically, the registry responded to malicious extensions post-publication by investigating and removing them upon detection. However, with increasing publication volumes and evolving threat models, this reactive approach is no longer scalable or sufficient to prevent supply chain attacks. The new pre-publish checks will automatically scan submitted extensions for indicators such as namespace or extension name impersonation, accidental inclusion of credentials or secrets, and known malicious code patterns. Suspicious extensions will be quarantined for manual review rather than being immediately published. This process is designed to reduce the window of exposure to malicious code and prevent obviously harmful extensions from entering the ecosystem. The Eclipse Foundation plans a phased rollout starting with a monitoring period in February 2026 to fine-tune detection algorithms and minimize false positives, followed by full enforcement in March 2026. This initiative mirrors Microsoft’s existing multi-step vetting process for its Visual Studio Marketplace, which includes malware scanning and periodic rescanning of extensions. Although no active exploits have been reported in the wild targeting Open VSX extensions, the risk of remote code execution (RCE) through malicious extensions remains a significant concern given the widespread use of VS Code and its extensions in development environments. By raising the security floor, the Eclipse Foundation aims to enhance trust in the Open VSX Registry as critical shared infrastructure for developers worldwide.

For European organizations, this threat primarily concerns the risk of supply chain attacks via malicious or compromised VS Code extensions sourced from the Open VSX Registry. Such extensions could enable remote code execution, data exfiltration, or unauthorized access within development environments, potentially leading to broader network compromise or intellectual property theft. Organizations heavily reliant on open-source tooling and extensions from Open VSX may face increased exposure if malicious extensions bypass existing controls. The proactive enforcement of pre-publish security checks will reduce this risk by limiting the publication of malicious extensions, thereby protecting European developers and enterprises. However, during the transition period, there may be temporary disruptions or false positives affecting legitimate extension publishers, which could impact development workflows. Additionally, organizations must remain vigilant for potential typosquatting or namespace impersonation attacks that could trick developers into installing malicious extensions. Overall, the initiative improves the security posture of the software supply chain but requires European organizations to update their internal policies and monitoring to align with the new vetting processes.

European organizations should implement the following specific measures: 1) Audit and inventory all VS Code extensions currently in use, identifying those sourced from Open VSX. 2) Establish internal policies to restrict installation of extensions only from vetted sources or those passing organizational security reviews. 3) Integrate automated scanning tools that analyze extensions for malicious code or suspicious behavior before deployment in development environments. 4) Educate developers on risks associated with typosquatting and namespace impersonation, encouraging verification of extension publishers. 5) Monitor updates to Open VSX policies and tooling to understand changes in extension vetting and adjust internal processes accordingly. 6) Collaborate with security teams to implement runtime monitoring for anomalous behaviors originating from extensions. 7) Participate in or monitor community threat intelligence feeds focused on VS Code extension threats to stay informed of emerging risks. 8) Prepare for potential false positives or delays in extension publication by coordinating with development teams to manage workflow impacts during the Eclipse Foundation’s rollout period. These targeted actions go beyond generic advice by focusing on supply chain-specific controls and developer awareness tailored to the Open VSX ecosystem.