| [openvsx-dev] Short-Term Security Improvements for Open VSX |
Hi all,
I wanted to share that the Eclipse Foundation has started a short-term engagement with external contractors to deliver Short-Term Security Improvements for Open VSX. This project began this week and is expected to conclude by January 30, 2026.
For this first phase, we’re focusing on implementing pre-publish security checks to ensure that all new extensions are automatically scanned before publication. In a future phase, we would like to extend this work to include proactive scanning of existing extensions.
This work focuses on strengthening Open VSX through:
Malware scanning to detect malicious or suspicious code
Name-squatting detection to prevent impersonation at the namespace or extension level
Secret and credential scanning to identify leaked API keys or credentials
Binary inspection to flag unexpected or potentially harmful binaries
Download flood control to prevent artificial inflation of extension popularity
Administrative interface for reviewing and managing flagged or quarantined extensions
Reporting and alerting tools to support manual review and transparency
We’re sharing our plans and progress with the community in the following issue, where we’ll also post updates as the work moves forward:
https://github.com/eclipse/openvsx/issues/1331#issuecomment-3503470384
I look forward to collaborating with all of you on this initiative. Your support and feedback—especially through code reviews and participation in discussions—will be key to making this engagement a success.
Cheers!