The Eclipse Foundation has taken a bold step towards securing its open-source ecosystem by implementing mandatory security checks for Visual Studio Code extensions before they hit the Open VSX Registry. This proactive approach aims to prevent malicious extensions from slipping through the cracks and compromising the integrity of the platform.
Up until now, the Open VSX Registry has relied on a reactive strategy, addressing issues only after extensions have been published. As Christopher Guindon, the director of software development at Eclipse, explains, this method has its limitations, especially as the volume of publications increases and threat models evolve.
The recent surge in attacks on open-source package registries and extension marketplaces has highlighted the need for a more robust defense mechanism. Bad actors have been exploiting these platforms to target developers on a large scale, employing tactics like namespace impersonation and typosquatting. Just last week, Socket flagged an incident where a compromised publisher's account was used to distribute malicious updates.
By introducing pre-publish checks, the Eclipse Foundation aims to close this window of vulnerability. These checks will flag clear cases of impersonation, accidental exposure of credentials, and known malicious patterns. Additionally, suspicious uploads will be quarantined for review, ensuring that potentially harmful extensions don't make it into the open-source repository.
Microsoft, with its Visual Studio Marketplace, has already implemented a similar multi-step vetting process. This includes malware scanning, immediate rescanning of newly published packages, and periodic bulk rescanning of all packages.
The Eclipse Foundation plans to roll out its extension verification program in stages. During February 2026, the maintainers will monitor newly published extensions without blocking publication, allowing them to fine-tune the system, reduce false positives, and improve feedback. Full enforcement will begin next month.
Guindon emphasizes that the goal is to enhance security, assist publishers in identifying issues early on, and maintain a fair and predictable experience for good-faith publishers. By implementing these pre-publish checks, the Eclipse Foundation aims to boost confidence in the Open VSX Registry as a secure and reliable shared infrastructure.
What are your thoughts on this new security measure? Do you think it will effectively mitigate supply chain threats in the open-source community? We'd love to hear your opinions in the comments below!
