What happened
The Eclipse Foundation announced it will begin enforcing mandatory security checks before Microsoft Visual Studio Code extensions can be published to its open‑source Open VSX Registry, shifting from reactive takedowns to proactive scanning to mitigate software supply chain risks.
Who is affected
Developers who publish or consume VS Code extensions via the Open VSX Registry and organizations that rely on these extensions in their development workflows are directly impacted by the new verification process.
Why CISOs should care
Open source extension marketplaces have become frequent vectors for supply chain attacks, including namespace impersonation, typosquatting, and malicious payloads, posing risk to development environments and downstream applications; proactive pre‑publish checks can reduce the chance that malicious or unsafe extensions enter the ecosystem.
3 practical actions
- Review extension sources and dependencies: Inventory all VS Code extensions used in your organization and ensure they come from trusted publishers with a security review process.
- Integrate supply chain scanning: Deploy tools that automatically scan extension dependencies and artifacts for malicious patterns before use in development pipelines.
- Update development policies: Adjust internal secure development standards to require pre‑deployment verification of extensions, aligning with Eclipse Foundation’s new checks and broader supply chain security practices.