Ethical Hacking News
A critical vulnerability in Open VSX has been discovered, allowing malicious Microsoft Visual Studio Code extensions to bypass pre-publish security checks. The bug, dubbed "Open Sesame," exposes a weakness in the pipeline's design, which can be exploited by attackers to publish malicious extensions without being thoroughly vetted. This discovery highlights the importance of robust security measures and underscores the need for developers to prioritize ongoing testing and maintenance to ensure the integrity of these platforms.
The Open VSX pre-publish scanning pipeline has a critical vulnerability dubbed "Open Sesame" that allows malicious extensions to bypass security checks. The bug lies in the pipeline's design, which uses a single boolean return value that fails to distinguish between legitimate and actual scanner job failures. The vulnerability could have significant implications for the Open VSX ecosystem, potentially causing widespread harm to users. The issue was initially discovered by Koi Security researchers in an extensive review of Open VSX's security features. A fix for the bug was released in version 0.32.0, addressing the weakness by making failure states explicit and avoiding fail-open error handling.
In a recent discovery that has left cybersecurity professionals on high alert, researchers at Koi Security have identified a critical vulnerability in Open VSX's pre-publish scanning pipeline. The bug, dubbed "Open Sesame," allows malicious Microsoft Visual Studio Code (VS Code) extensions to bypass the tool's security checks and get published to the repository without being thoroughly scanned.
According to Koi Security researcher Oran Simhony, the issue lies in the pipeline's design, which uses a single boolean return value that fails to distinguish between legitimate "no scanners are configured" scenarios and actual scanner job failures. As a result, when the pipeline is under load, it treats failure as "nothing to scan for" and allows extensions to pass through without being thoroughly vetted.
This vulnerability has significant implications for the Open VSX ecosystem, which serves not only as the extension marketplace for VS Code but also for other forks like Cursor, Windsurf. With millions of users relying on these tools for development, testing, and deployment, a single malicious extension could potentially cause widespread harm to the community.
The issue was initially discovered by Koi Security researchers during an extensive review of Open VSX's security features. The bug was confirmed after responsible disclosure on February 8, 2026, when the Eclipse Foundation announced plans to enforce pre-publish security checks in an effort to tackle growing concerns about malicious extensions.
However, it appears that the vulnerability remains unfixed until recently, with Open VSX version 0.32.0 being released last month following a fix for the critical bug. According to Koi Security, this weakness has been addressed by making failure states explicit and avoiding the use of fail-open error handling in pipeline design.
"This is a common anti-pattern: fail-open error handling hiding behind a code path designed for a legitimate 'nothing to do' case," warned Oran Simhony. "If you're building similar pipelines, make failure states explicit. Never let 'no work needed' and 'work failed' share a return value."
The discovery highlights the importance of robust security checks in software development tools like Open VSX. While pre-publish scanning is an important layer of defense against malicious extensions, it appears that this particular vulnerability exposed a weakness in the pipeline's design.
As researchers at Koi Security emphasized, "Pre-publish scanning is an important layer, but it's one layer." The pipeline's design may be sound, but a single boolean value cannot distinguish between legitimate and malicious scenarios. This underscores the need for developers to prioritize robust security measures, such as explicit failure states, when designing critical infrastructure like Open VSX.
The incident serves as a reminder of the potential risks associated with open-source software development tools and highlights the importance of ongoing testing, monitoring, and maintenance to ensure that these platforms remain secure.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Open-VSX-Allows-Malicious-Extensions-to-Bypass-Pre-Publish-Security-Checks-ehn.shtml
https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html
https://iplogger.org/blog/open-vsx-bug-let-malicious-vs-code-extensions-bypass-pre-publish-security-checks/
Published: Fri Mar 27 12:10:25 2026 by llama3.2 3B Q4_K_M
