openvsx icon indicating copy to clipboard operation
openvsx copied to clipboard
verified publisher icon eclipse

Short-Term Security Improvements for Open VSX

Open chrisguindon opened this issue 3 months ago • 4 comments

In an ideal scenario, we should implement an extensible verification pipeline that inspects all extensions and versions before publication, with mechanisms such as:

  • Malware detection to identify malicious or suspicious code.
  • Name squatting detection to prevent impersonation at the namespace or extension level.
  • Secret scanning to catch accidental leaks of API keys or credentials.
  • Binary scanning to flag unexpected or potentially harmful binaries.
  • Mechanism to prevent artificial inflation of extension popularity

Extensions that fail checks would be quarantined and flagged for admin review.

We should also include basic reporting and alerting to support manual review.

chrisguindon avatar Sep 05 '25 14:09 chrisguindon

The Operator should also have a tool to search for known signatures (asuming they haven’t been known at upload time in the Pipeline), for example the recent GlassWorm malware had a clear Unicode codepoint which can be used to remove or at least block all affected extensions once the researchers notified ESF.

I can see that most Enterprise can’t permit OpenVSX usage without some content protection gurantees.

ecki avatar Oct 22 '25 09:10 ecki

Update (November 2025): Project Kickoff

The Eclipse Foundation has initiated a short-term engagement with a contractor to implement a series of security and infrastructure improvements for the Open VSX.

The project began in early November 2025 and is expected to be completed by January 30, 2026.

Scope of Work

The engagement will deliver an extensible pre-publish verification framework that automatically inspects all extensions and versions before publication.

Key features include:
  • Malware and YARA-based scanning to detect malicious or suspicious code
  • Name-squatting detection to prevent impersonation at the namespace or extension level
  • Secret and credential scanning to identify leaked API keys or credentials
  • Binary inspection to flag unexpected or potentially harmful binaries
  • Download flood control to prevent artificial inflation of extension popularity
  • Administrative interface for reviewing and managing flagged or quarantined extensions
  • Reporting and alerting tools to support manual review and transparency

Confidentiality Note

While most of this work will be done in public repositories following the Eclipse Development Process,
some security-sensitive implementation details will remain confidential to prevent circumvention or abuse of the new verification mechanisms.

Ongoing progress and coordination will continue to be shared through this issue.

chrisguindon avatar Nov 07 '25 16:11 chrisguindon

Adding @Janbro, @alejandro-n-rivera, and @bkojusner — the contractors engaged for this project.

Welcome aboard! We look forward to working closely with you on the upcoming security enhancements for Open VSX.

From the Foundation side, @netomi and I will be supporting this engagement and coordinating with other teams across the Foundation as needed to help ensure the project progresses smoothly.

chrisguindon avatar Nov 07 '25 16:11 chrisguindon

A quick update for anyone not following the sub-issues. @janbro shared architecture diagrams and admin panel mockups for this project here: https://github.com/eclipse/openvsx/issues/1395#issuecomment-3550822313

chrisguindon avatar Nov 19 '25 13:11 chrisguindon