Open VSX Registry adds pre-publish security checks for VS Code extensions
Security Tool/Service
Summary
Hide ▲
Show ▼
Open VSX Registry will add pre-publish security checks for VS Code extensions, reducing the chance that malicious packages reach the ecosystem. The rollout uses February 2026 to monitor new uploads before blocking them, with enforcement starting next month. The checks are meant to catch namespace impersonation, published secrets, and known malicious patterns earlier and limit exposure.
Related Happenings
GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
H score25
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub npm GAT publish-token mitigation guidance
Advisory/MitigationAbout this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/Service
H score28
First: 12.05.2026 01:03
Last: 12.05.2026 01:03
Sources 1
About this happening:
A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/ServiceAbout this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
Windows Shell spoofing flaw actively exploited (CVE-2026-32202)
Vulnerability
H score47
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
**Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...
Windows Shell spoofing flaw actively exploited (CVE-2026-32202)
VulnerabilityAbout this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Timeline
-
27.03.2026 15:57 1 articles · 3mo ago
Open VSX pre-publish scanning bug patched
Mitigation Patch UpdateKoi Security disclosed a now-patched flaw in Open VSX's pre-publish scanning pipeline that could let a malicious Microsoft Visual Studio Code (VS Code) extension pass vetting and go live when scanner job failures were misread as "no scanners are configured"; Open VSX fixed the issue in version 0.32.0 after responsible disclosure on February 8, 2026.
Show sources
- Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks — thehackernews.com — 27.03.2026 15:57
-
04.02.2026 08:26 2 articles · 5mo ago
Open VSX Registry adds pre-publish security checks
Initial DisclosureThe Eclipse Foundation plans to add pre-publish security checks for Microsoft Visual Studio Code (VS Code) extensions in the Open VSX Registry, moving from post-publication investigation to proactive screening so malicious uploads can be quarantined or blocked before publication. The staged rollout will monitor newly published extensions during February 2026 to tune the system, reduce false positives, and prepare enforcement to begin next month.
Show sources
- Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions — thehackernews.com — 04.02.2026 08:26
- Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions — thehackernews.com — 04.02.2026 08:26