
OpenVSX
Open-source VS Code extension registry; 73 extensions turned malicious by GlassWorm, April 2026.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Should enterprises mirror and manually vet OpenVSX extensions rather than pulling direct from the registry?
Timeline for OpenVSX
Mentioned in: Attack worm kit now open-sourced freely
Cybersecurity: Threats and DefencesMentioned in: GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesMentioned in: GTIG names the first LLM-written working zero-day
Cybersecurity: Threats and DefencesMentioned in: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and DefencesThree supply-chain hits in thirteen days
Cybersecurity: Threats and DefencesIs OpenVSX safe to use after the GlassWorm attack in April 2026?
What is the difference between OpenVSX and the Microsoft VS Code Marketplace?
How can I check which OpenVSX extensions are installed in my VS Code deployments?
Background
OpenVSX is an open-source alternative registry for Visual Studio Code extensions, hosted by the Eclipse Foundation. It serves as the default extension marketplace for open-source VS Code derivatives including VSCodium and Eclipse Theia, and is used by organisations that operate air-gapped or self-hosted VS Code deployments that mirror an external registry rather than using Microsoft's proprietary VS Code Marketplace. Launched in 2020, it is a free community registry that allows any extension author to publish without a Microsoft account, making it the primary channel for extensions in sovereignty-sensitive and open-source deployment environments.
On 27 April 2026, the GlassWorm campaign turned 73 dormant OpenVSX extensions simultaneously malicious via staged updates, compromising developers who had those extensions installed and whose IDEs pulled the malicious update.
OpenVSX's governance model operates as an open community registry with less centralised review of extension updates compared to Microsoft's marketplace, making it structurally more exposed to the dormant-extension-update attack pattern GlassWorm exploited. The attack targeted extensions with an existing install base but no recent update activity — the extensions users stop auditing because nothing has changed. The GlassWorm incident will accelerate discussions inside the Eclipse Foundation on update-signing requirements and suspicious-update detection, and may prompt enterprise policies requiring internal extension mirrors with manual vetting rather than direct registry pulls.
OpenVSX is the third vector in a 13-day supply-chain attack window alongside TeamPCP (SAP npm) and a PyPI infostealer, collectively illustrating that the developer toolchain is now a primary lateral-movement attack surface.