A critical flaw in Open VSX Registry discovered by Koi Security could allow attackers to hijack the Visual Studio Code extension hub, posing supply chain risks for millions of developers.
The vulnerability in the open-source Open VSX Registry, used by over 8,000,000 developers, could enable full control of the extensions marketplace and potentially compromise developer machines.
The flaw stemmed from a GitHub Actions workflow running npm install on untrusted extension code, exposing a secret token (OVSX_PAT) that, if stolen, could lead to a complete marketplace takeover.
The disclosure timeline outlines multiple proposed fixes before the issue was resolved, highlighting the significant supply chain risk posed by the vulnerability and the importance of vetting and securing software dependencies.