The Eclipse Foundation will implement mandatory security reviews for VS Code extensions published to Open VSX Registry, shifting from reactive takedowns to proactive prevention of supply chain attacks.
The Eclipse Foundation has announced a fundamental shift in how it handles security for the Open VSX Registry, introducing mandatory pre-publication security checks for Visual Studio Code extensions. This proactive approach aims to combat the rising threat of supply chain attacks targeting developers through malicious extensions.
Christopher Guindon, Director of Software Development at the Eclipse Foundation, explained the rationale: "Our previous approach relied primarily on post-publication response. When a malicious extension was reported, we investigated and removed it. While necessary, this reactive model doesn't scale effectively as publication volumes increase and threat landscapes evolve."
The decision comes amid escalating attacks on open-source ecosystems. Recent incidents include:
- Namespace impersonation and typosquatting attacks
- Compromised publisher accounts pushing poisoned updates
- Socket's recent report of hijacked accounts distributing malicious packages
Starting in March 2026, all new extensions submitted to Open VSX Registry will undergo automated security screening before publication. The system will flag and quarantine submissions exhibiting:
- Clear cases of extension name or namespace impersonation
- Accidental inclusion of credentials or secrets
- Known malicious code patterns
This approach mirrors Microsoft's existing vetting process for the Visual Studio Marketplace, which includes malware scanning at upload time, post-publication rescanning, and periodic bulk rescans.
The rollout will occur in phases:
- February 2026: Monitoring mode (checks without blocking)
- March 2026: Full enforcement with quarantine capabilities
"Our goal is to raise the security baseline while helping publishers catch issues early," Guindon emphasized. "By preventing obviously malicious extensions from entering the ecosystem, we strengthen trust in Open VSX as critical developer infrastructure."
This initiative represents a significant advancement in extension security, potentially establishing new standards for open-source registries combating supply chain threats. Developers publishing to Open VSX should prepare for these changes by reviewing their extension security practices in advance of the March enforcement date.
Comments
Please log in or register to join the discussion