One Extension to Own Them All: Critical VSCode Marketplace Vulnerability Puts Millions at Risk

The Koi Security research team has revealed a critical vulnerability in Open VSX, the extension marketplace used by more than 8 million developers through VSCode forks such as Cursor, Windsurf, Gitpod, VSCodium, and more. This vulnerability allowed attackers to take full control of the marketplace and silently push malicious updates to all extensions, thereby compromising any developer who had installed an extension, with no interaction required. The flaw originated from a misconfiguration in the GitHub Actions workflow and has since been corrected.