WHOBUILT ™SUBSCRIBE →

Open VSX Hits 300M Downloads, Adds Security Scanning

MAR 21OPEN SOURCE4 MIN READ92376 COMMENTS

On March 3, 2026, the Eclipse Foundation announced that the Open VSX Registry — the open-source alternative to Microsoft's proprietary Visual Studio Marketplace — has crossed 300 million monthly downloads. The number alone is a milestone worth noting. The security announcement that came with it matters more for developers who publish or install VS Code extensions.

Starting this month, Open VSX enforces mandatory pre-publication security scanning for all extension uploads. The system checks for known malicious code patterns, detects namespace impersonation and extension name spoofing, flags exposed credentials or embedded secrets, and quarantines suspicious uploads automatically until human review completes. February 2026 was a shadow-mode period — the scanning ran but did not block. From March, quarantine is live.

The Threat Model for VS Code Extensions

VS Code extensions execute in the developer's local environment with broad permissions. A malicious extension has access to the file system, network, environment variables, terminal, and editor state — it is not sandboxed from your credentials, SSH keys, .env files, or git config. An extension with malicious intent installed by a developer on a company machine is, in security terms, a foothold with the same access level as the developer themselves.

The attack pattern Open VSX's scanning targets is well-documented. Several incidents across both the Visual Studio Marketplace and Open VSX in the past two years followed the same playbook: publish a package named similarly to a popular extension, wait for developers to install it through a typo or search result, and exfiltrate credentials silently. The typosquatting vector requires no technical sophistication — just a patient attacker and a plausible name.

Pre-publication scanning addresses this before it reaches developers. Namespace impersonation and name-spoofing detection directly targets typosquatting. Credential scanning catches legitimate extensions that accidentally include secrets — a real risk given that many extensions are maintained by individual developers who may not apply the same secrets hygiene as a professional security team. The quarantine system adds a human review gate for anything the automated scanner flags.

Why Scale Changes the Security Calculus

Open VSX serves VS Code, VSCodium, and any editor built on the Code - Open Source codebase, including Eclipse Theia, Gitpod, and multiple cloud IDE products. At 300 million monthly downloads, it is production infrastructure for millions of developers. That scale changes the economics of a supply chain attack: a malicious extension that reaches 0.01% of installs affects 30,000 machines.

A registry at 10 million downloads can tolerate reactive security — detect and remove malicious extensions after reports arrive. At 300 million, the registry is a target worth attacking proactively, and reactive-only security leaves a window that sophisticated attackers are willing to exploit. The Eclipse Foundation is treating it accordingly.

What Changes for Extension Publishers

If you publish extensions to Open VSX, the practical impact is minimal for legitimate publishers. The scanning targets actual malicious patterns and credential exposure, not normal extension behavior. Extensions that make network requests or access environment variables for operational reasons are not flagged for those behaviors alone — the system looks for known attack patterns and secret material in code.

If your extension gets quarantined, there is a review process. Documenting behavior clearly in your manifest and README helps reviewers understand what is intentional and move faster. Keeping extension code free of hardcoded tokens or API keys — which it should be regardless — means the credential scanner will not catch you accidentally.

For developers installing extensions, the scanning reduces but does not eliminate risk. Pre-publication checks catch known patterns; novel attacks may still get through. Install extensions from publishers you recognize, review what permissions an extension requests, and treat newly published extensions without a download history skeptically.

// ENGLISH
KEY POINTS:

- Open VSX Registry crossed 300 million monthly downloads as of March 2026
- Pre-publish security scanning now enforced — quarantine live from March 2026
- Scans for: malicious code patterns, typosquatting, exposed credentials, name spoofing
- February 2026 was shadow mode (scan but don't block); March is live enforcement
- 0.01% of compromised installs at this scale = 30,000 affected developer machines
- Legitimate publishers: document behavior in manifest/README to speed quarantine review