OpenVSX
Open-source VS Code extension registry; 73 extensions turned malicious by GlassWorm, April 2026.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Should enterprises mirror and manually vet OpenVSX extensions rather than pulling direct from the registry?
Timeline for OpenVSX
Mentioned in: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and DefencesThree supply-chain hits in thirteen days
Cybersecurity: Threats and Defences- Is OpenVSX safe to use after the GlassWorm attack in April 2026?
- OpenVSX remains operational. The 73 affected extensions should be identified and removed. The Eclipse Foundation is the appropriate body to confirm which extensions were compromised. Enterprises should consider implementing internal extension mirrors with manual vetting rather than pulling directly from the registry.Source: Bleeping Computer
- What is the difference between OpenVSX and the Microsoft VS Code Marketplace?
- OpenVSX is an open-source registry operated by the Eclipse Foundation, used by VSCodium and other Microsoft-independent VS Code derivatives. Microsoft's marketplace is proprietary, telemetry-linked, and has more centralised review processes. OpenVSX is used by developers who want to avoid Microsoft data collection or operate in sovereignty-sensitive environments.
- How can I check which OpenVSX extensions are installed in my VS Code deployments?
- Run `code --list-extensions` on developer workstations or query your endpoint management platform for installed VS Code extensions. Cross-reference against the list of GlassWorm-compromised extensions when published by the Eclipse Foundation or security researchers.
Background
OpenVSX is an open-source alternative registry for Visual Studio Code extensions, hosted by the Eclipse Foundation. It serves as the default extension marketplace for open-source VS Code derivatives including VSCodium and Eclipse Theia, and is used by organisations that operate air-gapped or self-hosted VS Code deployments that mirror an external registry rather than using Microsoft's proprietary VS Code Marketplace. Launched in 2020, it is a free community registry that allows any extension author to publish without a Microsoft account, making it the primary channel for extensions in sovereignty-sensitive and open-source deployment environments.
On 27 April 2026, the GlassWorm campaign turned 73 dormant OpenVSX extensions simultaneously malicious via staged updates, compromising developers who had those extensions installed and whose IDEs pulled the malicious update.
OpenVSX's governance model operates as an open community registry with less centralised review of extension updates compared to Microsoft's marketplace, making it structurally more exposed to the dormant-extension-update attack pattern GlassWorm exploited. The attack targeted extensions with an existing install base but no recent update activity — the extensions users stop auditing because nothing has changed. The GlassWorm incident will accelerate discussions inside the Eclipse Foundation on update-signing requirements and suspicious-update detection, and may prompt enterprise policies requiring internal extension mirrors with manual vetting rather than direct registry pulls.
OpenVSX is the third vector in a 13-day supply-chain attack window alongside TeamPCP (SAP npm) and a PyPI infostealer, collectively illustrating that the developer toolchain is now a primary lateral-movement attack surface.