






















Published on:
Nov 6, 2025
About 2 hours ago, we detected another three extensions on Open VSX that have been compromised by the threat actor we’ve been documenting since March, using non-printable characters. Last week, we identified that they had also started compromising GitHub repositories. Today, we are observing another wave of attacks against legitimate Open VSX extensions.
The three we’ve identified at the time of writing are:
At this time, we've notified Open VSX about our discovery, and are attempting to contact the maintainers as well.
This wave comes after a security update published by Open VSX (Eclipse Foundation) on October 27th, acknowledging the attacks that occurred, and outlining the defenses they are planning to put in place:
https://blogs.eclipse.org/post/mika%C3%ABl-barbero/open-vsx-security-update-october-2025
At the time, they believed that the incident was fully contained. However, today's events suggest this is still an ongoing situation we haven’t seen the end of yet, unfortunately.
Even as we see another wave of this attack, we commend Open VSX for the actions they plan to take. Especially the Automated Scanning of extensions at publication is big, since this is also what we do here at Aikido. However, we cannot scan extensions before they are published. If implemented correctly, this will protect against many attacks in the ecosystem. We applaud this initiative that the Eclipse Foundation is showing.
It’s difficult to defend against something you can’t see, as is the case with this specific attack. But from the very start, we’ve been tracking this threat actor since March, and have done extensive coverage of it. Our previous publications and technical information continues to be relevant, and we will continue to post more information if/as things evolve.
https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas
https://x.com/AikidoSecurity/status/1979207669044122111
Last updated on:
Nov 6, 2025
Secure your software now
Start today, for free.
Start for Free
No CC required
4.7/5
Tired of false positives?
Try Aikido like 100k others.
Start Now
Get a personalized walkthrough
Trusted by 100k+ teams
Book Now
Scan your app for IDORs and real attack paths
Trusted by 100k+ teams
Start Scanning
See how AI pentests your app
Trusted by 100k+ teams
Start Testing
April 17, 2026
•
Vulnerabilities & Threats
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
#
Vulnerabilities
#
open-source
April 14, 2026
•
Vulnerabilities & Threats
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
April 8, 2026
•
Vulnerabilities & Threats
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
#
Malware
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
No credit card required | Scan results in 32secs.


此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。