Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

2026-03-27

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article covers a now-patched vulnerability in Open VSX's pre-publish extension scanning pipeline that allowed malicious VS Code extensions to bypass security checks.

•The bug, codenamed "Open Sesame", stemmed from a single boolean return value that conflated "no scanners configured" with "all scanners failed to run", causing the system to fail-open.
•An attacker could flood the publish endpoint with multiple .VSIX files to exhaust the database connection pool, causing scan jobs to fail to enqueue and extensions to be auto-approved.
•No special privileges were required — a free publisher account was sufficient to exploit the vulnerability.
•A recovery service meant to retry failed scans had the same flaw, removing any fallback protection.
•

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture