Currently, only the latest active major version receives security updates.
| Version | Supported |
|---|---|
| 0.11.x | ✅ |
| 0.10.x | ❌ |
| < 0.10 | ❌ |
Please report any suspected vulnerabilities by opening an issue or contacting the maintainers directly. We will provide an initial assessment within 24 hours.
Discovered by: rcss @ AikidoSec
We were informed of a supply chain attack specifically targeting the Open-VSX Registry for the fast-draft extension. A compromised publisher token was used to publish malicious extensions that download a Remote Access Trojan (RAT).
Only the following legacy versions downloaded from the Open-VSX Registry are affected:
0.10.890.10.1050.10.1060.10.112
Note: The official VS Code Marketplace distributions (
0.11.xand all prior) were not impacted by this breach.
- Remove Old Versions: If you are using any of the affected versions (
0.10.89to0.10.112) from Open-VSX (e.g., via VSCodium, Gitpod, or Coder), uninstall the extension immediately. - Scan Your System: We strongly recommend running a full anti-virus/malware scan if you installed the affected versions, as the payload installs a remote shell.
- Update: Upgrade to the latest secure version
0.11.328or newer, which has been published using newly secured infrastructure.
- Revoked all existing Open-VSX publisher tokens.
- Audited repository history and verified no
.envor CI secrets were exposed via git. - scrubbed local environments and rotated all associated ecosystem tokens (
VSCE_PAT,NPM_TOKEN, etc.). - Contacted Open-VSX to permanently yank the malicious blobs from their servers.
We sincerely thank rcss and the AikidoSec team for their swift and responsible disclosure that allowed us to lock down the registry before further harm occurred.