Find notable cyber news and cases, enriched with sources, timelines, and signals.

Open VSX Registry adds pre-publish security checks for VS Code extensions

Security Tool/Service
First reported
Last updated
Happening score
H score 11
1 unique sources, 2 articles

Summary

Hide ▲

Open VSX Registry will add pre-publish security checks for VS Code extensions, reducing the chance that malicious packages reach the ecosystem. The rollout uses February 2026 to monitor new uploads before blocking them, with enforcement starting next month. The checks are meant to catch namespace impersonation, published secrets, and known malicious patterns earlier and limit exposure.

Related Happenings

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace

Security Tool/Service
H score28 First: 12.05.2026 01:03 Last: 12.05.2026 01:03 Sources 1

About this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
H score47 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Timeline

  1. 27.03.2026 15:57 1 articles · 3mo ago

    Open VSX pre-publish scanning bug patched

    Mitigation Patch Update

    Koi Security disclosed a now-patched flaw in Open VSX's pre-publish scanning pipeline that could let a malicious Microsoft Visual Studio Code (VS Code) extension pass vetting and go live when scanner job failures were misread as "no scanners are configured"; Open VSX fixed the issue in version 0.32.0 after responsible disclosure on February 8, 2026.

    Show sources
  2. 04.02.2026 08:26 2 articles · 5mo ago

    Open VSX Registry adds pre-publish security checks

    Initial Disclosure

    The Eclipse Foundation plans to add pre-publish security checks for Microsoft Visual Studio Code (VS Code) extensions in the Open VSX Registry, moving from post-publication investigation to proactive screening so malicious uploads can be quarantined or blocked before publication. The staged rollout will monitor newly published extensions during February 2026 to tune the system, reduce false positives, and prepare enforcement to begin next month.

    Show sources