Ethical Hacking News
A critical vulnerability in the Open VSX Registry has been discovered, leaving millions of developers exposed to supply chain attacks. The vulnerability allows attackers to hijack the entire extensions marketplace, providing them with full control over millions of developer machines.
The Open VSX Registry has a critical flaw that could let attackers hijack the Visual Studio Code extension hub.The vulnerability was discovered by Koi Security and allows attackers to take control of the entire extensions marketplace.The registry's auto-publishing process exposes a secret token that can be stolen by malicious actors.Only trusted code should see this token, but the current implementation provides it to all auto-published extensions.The vulnerability is a massive supply chain risk, similar to the SolarWinds attack, affecting millions of developers.Developers and organizations must take immediate action to secure their systems against potential attacks.
The Open VSX Registry is an open-source extension registry maintained by the Eclipse Foundation, serving as a community-driven alternative to Microsoft's proprietary Visual Studio Code Marketplace. It allows developers and organizations to publish, discover, and use extensions for VS Code-compatible editors without being tied to Microsoft's licensing. The registry has gained significant traction, with over 8 million developers relying on it for their development needs.
However, the recent discovery of a critical vulnerability in the Open VSX Registry poses a significant threat to these millions of developers. The vulnerability, discovered by Koi Security, allows attackers to take control of the entire extensions marketplace, thereby gaining full control over millions of developer machines. This, in turn, can lead to supply chain attacks, where malicious code is published under the guise of legitimate updates, compromising the security of countless systems.
The vulnerability was identified through a thorough analysis of the registry's auto-publishing process, which involves a nightly GitHub Actions workflow that runs npm install on untrusted extension code. This workflow exposes a secret token (OVSX_PAT) with permission to publish or overwrite any extension. The report highlights that only trusted code should ever see this token, but malicious actors can exploit the vulnerability by stealing the token and hijacking the entire Open VSX marketplace.
The root of the vulnerability lies in the fact that npm install runs arbitrary build scripts for all auto-published extensions, providing them with access to the OVSX_PAT environment variable. This allows attackers to exfiltrate the token, which can then be used to publish or modify extensions with malicious code. The experts have also pointed out that this vulnerability is a massive supply chain risk, similar to the SolarWinds attack, affecting millions of developers through IDE auto-updates, particularly in desktop editors like VS Code, VSCodium, and Cursor.
The disclosure timeline reveals a thorough process of identifying and addressing the vulnerability. From its initial disclosure on May 4th to its deployment as a fixed version on June 25th, Koi Security worked closely with the Eclipse Foundation to address the issue. Throughout this period, multiple fixes were proposed and reviewed, showcasing the collaborative efforts between security researchers and software developers.
The report concludes that the problem is universal: if it's code, and it runs in your environment, it's part of your attack surface. Every marketplace item is a potential backdoor, deserving the same diligence as any package from PyPI, npm, or GitHub. If left unchecked, these unvetted software dependencies with privileged access create an invisible supply chain that attackers are increasingly exploiting.
In light of this critical vulnerability, developers and organizations must take immediate action to secure their systems against potential attacks. This includes updating their IDEs and extensions to the latest versions, as well as implementing robust security measures, such as source code analysis and continuous monitoring. The Open VSX Registry has taken steps to address the issue, including deploying a fixed version that addresses the vulnerability.
The recent discovery of this critical flaw in the Open VSX Registry serves as a stark reminder of the importance of prioritizing cybersecurity in the development process. As our reliance on open-source software and community-driven projects grows, so does the risk of vulnerabilities like this one. It is essential for developers and organizations to remain vigilant and proactive in addressing these risks, ensuring that their systems are protected against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Vulnerability-A-Threat-to-Millions-of-Developers-ehn.shtml
https://securityaffairs.com/179398/hacking/taking-over-millions-of-developers-exploiting-an-open-vsx-registry-flaw.html
Published: Fri Jun 27 16:07:40 2025 by llama3.2 3B Q4_K_M
