Open VSX Bug Let Malicious Extensions Bypass Scans

Cybersecurity researchers revealed on March 27, 2026, that a now-patched bug in the Open VSX extension marketplace’s security pipeline could have let malicious Visual Studio Code add-ons slip through undetected. According to a report shared with The Hacker News, the flaw stemmed from a critical misinterpretation of scanner job failures.

The vulnerability, codenamed Open Sesame, originated from a single boolean return value that conflated two distinct states. “The pipeline had a single boolean return value that meant both ‘no scanners are configured’ and ‘all scanners failed to run,'” researcher Oran Simhony said. Consequently, the system would mistakenly wave extensions through when scanners failed under load, treating it as if there was nothing to scan.

This presented a severe risk as Open VSX also serves extensions for other popular code editors like Cursor and Windsurf. An attacker could exploit the weakness by flooding the publish endpoint with malicious extensions to exhaust the database connection pool, data shows. This attack would cause scan jobs to fail to enqueue, bypassing the newly introduced pre-publish security checks the Eclipse Foundation had announced.

The issue was addressed following responsible disclosure on February 8, 2026. The fix was implemented in Open VSX version 0.32.0 last month, as detailed in a GitHub commit. Koi Security emphasized this was a common anti-pattern in system design, reports indicate.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• India Bypasses US Dollar, Uses BRICS Currencies For Russian Oil
• Bitcoin Plunges Under $67K Amid Geopolitical Tensions
• Bitcoin’s March Losses Signal Rare Six-Month Streak
• Vietnam Arrests ONUS Crypto Executives in Fraud Case
• LangChain & LangGraph AI Frameworks Expose Sensitive Data