Cybersecurity researchers have disclosed details of a now-patched bug impacting Open VSX’s pre-publish scanning pipeline to cause the tool to allow a malicious Microsoft Visual Studio Code (VS Code) extension to pass the vetting process and go live in the registry.
„The pipeline had a single boolean return value that meant both ’no scanners are configured‘ and ‚all scanners failed to run,'“ Koi
https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html