Cybersecurity researchers discovered a vulnerability in the Open VSX registry that allowed malicious Visual Studio Code extensions to bypass security scans by triggering database connection failures during publication.

Key points

• The "Open Sesame" vulnerability allowed malicious extensions to bypass mandatory pre-publish security checks by overloading the registry's scanning pipeline.
• A flaw in the Java-based service caused the system to misinterpret scanner job failures as a "no scanners configured" state, effectively failing open.
• Attackers could exploit this by flooding the publish endpoint to exhaust database connection pools, preventing scan jobs from enqueuing.
• The Eclipse Foundation addressed the issue in Open VSX version 0.32.0 following a responsible disclosure on February 8, 2026.
• Open VSX serves as the primary extension marketplace for several development environments, including VS Code, Cursor, and Windsurf.

This vulnerability highlights the risks of "fail-open" error handling in automated security pipelines, which can inadvertently allow malicious code into widely used developer ecosystems. Ensuring robust, explicit failure states is critical for maintaining the integrity of software supply chains used by millions of developers.