Close Menu
    What's Hot

    Oil giant BP shutters its corporate venture arm after 20 years

    Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    Facebook X (Twitter) Instagram
    Trending
    • Oil giant BP shutters its corporate venture arm after 20 years
    • Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline
    • Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories
    • This Meta study shows AI chatbots could be spreading restrictions on free expression
    • Opinion | Falling Birthrates and America’s Future
    • Republican Senator Thom Tillis Demands Todd Blanche Meet With Epstein Survivors
    • To Defend Europe, German Military Power Needs to Go It Alone
    • How the NYT Reported on Khamenei’s Funeral in Iran
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

    adminBy adminMarch 27, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananMar 27, 2026Software Security / DevSecOps

    Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

    Cybersecurity researchers have disclosed details of a now-patched bug impacting Open VSX’s pre-publish scanning pipeline to cause the tool to allow a malicious Microsoft Visual Studio Code (VS Code) extension to pass the vetting process and go live in the registry.

    “The pipeline had a single boolean return value that meant both ‘no scanners are configured’ and ‘all scanners failed to run,'” Koi Security researcher Oran Simhony said in a report shared with The Hacker News. “The caller couldn’t tell the difference. So when scanners failed under load, Open VSX treated it as ‘nothing to scan for’ and waved the extension right through.”

    Cybersecurity

    Early last month, the Eclipse Foundation, which maintains Open VSX, announced plans to enforce pre-publish security checks before VS Code extensions are published to the repository in an attempt to tackle the growing problem of malicious extensions.

    With Open VSX also serving as the extension marketplace for Cursor, Windsurf, and other VS Code forks, the move was seen as a proactive approach to prevent rogue extensions from getting published in the first place. As part of pre-publish scanning, extensions that fail the process are quarantined for admin review.

    The vulnerability discovered by Koi, codenamed Open Sesame, has to do with how this Java-based service reports the scan results. Specifically, it’s rooted in the fact that it misinterprets scanner job failures as no scanners are configured, causing an extension to be marked as passes, and then immediately activated and made available for download from Open VSX.

    At the same time, it can also refer to a scenario where the scanners exist, and the scanner jobs have failed and cannot be enqueued because the database connection pool is exhausted. Even more troublingly, a recovery service designed to retry failed scans suffered from the same problem, thereby allowing extensions to skip the entire scanning process under certain conditions.

    An attacker can take advantage of this weakness to flood the publish endpoint with several malicious .VSIX extensions, causing the concurrent load to exhaust the database connection pool. This, in turn, leads to a scenario where scan jobs fail to enqueue.

    Cybersecurity

    What’s notable about the attack is that it does not require any special privileges. A malicious actor with a free publisher account could have reliably triggered this vulnerability to undermine the scanning process and get their extension published. The issue was addressed in Open VSX version 0.32.0 last month following responsible disclosure on February 8, 2026.

    “Pre-publish scanning is an important layer, but it’s one layer,” Koi said. “The pipeline’s design is sound, but a single boolean that couldn’t distinguish between ‘nothing to do’ and ‘something went wrong’ turned the entire infrastructure into a gate that opened under pressure.”

    “This is a common anti-pattern: fail-open error handling hiding behind a code path designed for a legitimate ‘nothing to do’ case. If you’re building similar pipelines, make failure states explicit. Never let ‘no work needed’ and ‘work failed’ share a return value.”

    bug Bypass checks Code extensions malicious Open PrePublish Security VSX
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleRising fuel prices threaten NSRI operations
    Next Article Rivian gets another $1B from Volkswagen
    admin
    • Website

    Related Posts

    Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline

    July 16, 2026

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    July 16, 2026

    The Open: Bryson DeChambeau responds to ‘no strategy’ comments by making fast start and snubbing media at Royal Birkdale | Golf News

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Oil giant BP shutters its corporate venture arm after 20 years

    Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    This Meta study shows AI chatbots could be spreading restrictions on free expression

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by