Eclipse Foundation Implements Pre-Publication Security Checks for Open VSX Extensions
In a significant move to bolster the security of the Open VSX Registry, the Eclipse Foundation has announced the implementation of mandatory pre-publication security checks for all Visual Studio Code (VS Code) extensions. This proactive measure aims to mitigate supply chain threats by preventing the dissemination of malicious extensions within the open-source repository.
Historically, the Open VSX Registry has operated on a reactive basis, addressing security concerns post-publication. Christopher Guindon, Director of Software Development at the Eclipse Foundation, highlighted the limitations of this approach:
Up to now, the Open VSX Registry has relied primarily on post-publication response and investigation. When a bad extension is reported, we investigate and remove it. While this approach remains relevant and necessary, it does not scale as publication volume increases and threat models evolve.
The decision to shift towards pre-publication security checks is a response to the escalating frequency of attacks targeting open-source package registries and extension marketplaces. Malicious actors have increasingly exploited these platforms through tactics such as namespace impersonation and typosquatting. A recent incident underscored this vulnerability when a compromised publisher’s account was used to distribute malicious updates.
By instituting pre-publication checks, the Eclipse Foundation aims to reduce the exposure window and identify potential threats before they reach users. The new protocol will focus on detecting:
– Clear instances of extension name or namespace impersonation
– Accidentally published credentials or secrets
– Recognized malicious patterns
Suspicious uploads will be quarantined for further review rather than being published immediately.
This initiative aligns with similar security measures adopted by other platforms. For instance, Microsoft employs a multi-step vetting process for its Visual Studio Marketplace, which includes scanning incoming packages for malware, rescanning newly published packages shortly after publication, and conducting periodic bulk rescanning of all packages.
The Eclipse Foundation plans to roll out the extension verification program in stages. Throughout February 2026, maintainers will monitor newly published extensions without blocking publication. This period will be used to fine-tune the system, minimize false positives, and enhance feedback mechanisms. Enforcement of the new security checks is scheduled to commence in March 2026.
Guindon emphasized the objectives of this initiative:
The goal and intent are to raise the security floor, help publishers catch issues early, and keep the experience predictable and fair for good-faith publishers. Pre-publish checks reduce the likelihood that obviously malicious or unsafe extensions make it into the ecosystem, which increases confidence in the Open VSX Registry as shared infrastructure.
This proactive approach is part of a broader effort to enhance the security of the Open VSX ecosystem. In October 2025, the Eclipse Foundation revoked a small number of leaked tokens within VS Code extensions published in the marketplace. These exposures, caused by developer errors rather than a compromise of the Open VSX infrastructure, prompted the foundation to introduce a token prefix format ovsxat_ to facilitate the detection of exposed tokens across public repositories.
The foundation also implemented several security measures, including:
– Reducing token lifetime limits by default to minimize the impact of accidental leaks
– Simplifying the process for token revocation upon notification
– Automated scanning of extensions at the time of publication to detect malicious code patterns or embedded secrets
These actions underscore the foundation’s commitment to strengthening the Open VSX Registry’s security and protecting developers from potential supply chain attacks.
The implementation of pre-publication security checks by the Eclipse Foundation represents a significant advancement in the ongoing effort to secure open-source software ecosystems. By proactively identifying and mitigating potential threats before they reach users, the foundation aims to foster a safer and more reliable environment for developers worldwide.
