Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [openvsx-dev] Sincere appeal for manual review and recovery path for my restricted Open VSX account
We are unable to approve your appeal.

John Kellerman
Eclipse Foundation

On Sat, May 9, 2026 at 3:13 PM <jerrylinap@xxxxxxxxx> wrote:

Hi Open VSX Team,

I am writing again sincerely to ask for your help and a fair manual review of my Open VSX account and extensions.

I understand that on the related GitHub issue, the response said that my extensions scanned as malware. I take that very seriously. I want to clearly and respectfully explain my situation: I did not intentionally publish malware, and I did not intend to harm users, steal data, or abuse the Open VSX platform.

I am an independent developer. I spent about two months developing these extensions, and this project represents a lot of my personal time and effort. The reason some parts of the package were obfuscated was to protect my own source code and development work, not to hide malicious behavior. I now understand that obfuscation, automation logic, or certain implementation patterns may look suspicious to security scanners, especially in the current supply-chain security environment around VS Code/Open VSX extensions.

If my package triggered a malware scanner or policy rule, I sincerely want to fix it. I am not asking to bypass review. I am asking for the specific technical findings so I can remediate correctly.

Could you please help me with the following:

  1. Please provide the exact detection category, scanner result, file, API usage, behavior, or rule that caused the extensions to be classified as malware.

  2. Please let me know whether the restriction is due to the malware scan result, Publisher Agreement state, namespace ownership, account/profile linking, or another account enforcement action.

  3. Please tell me the correct recovery path to restore my account/publisher access, sign or restore the Publisher Agreement state, create access tokens again, and submit a cleaned version for review.

  4. If obfuscation is the main concern, I am willing to remove obfuscation from future Open VSX packages and provide a cleaner, easier-to-review build.

  5. If any specific feature or code path is considered unsafe, I am willing to remove it completely and resubmit only after your review guidance.

Right now, when I try to access the Open VSX profile, I still receive this error:

Request for retrieving user profile failed: 500 Internal Server Error on GET request for “https://api.eclipse.org/openvsx/profile”:

I also see that my namespace/account access appears to be restricted, so I cannot resolve this through the normal publisher dashboard.

I respect Open VSX’s responsibility to protect users and the ecosystem. I only hope you can understand that I am trying to cooperate and correct the situation. This account was suddenly blocked after a long period of development work, and without concrete findings I do not know what exactly needs to be changed.

Please give me a chance to fix any real issue and return to good standing. I am willing to pause publishing, remove obfuscation, clean the package, and follow whatever review process you require.

Thank you very much for your time and help.

Best regards,
Jerry

Back to the top