Creative Tooling

Open VSX Became AI Coding's Shared Weak Point

Cursor, Windsurf and other AI-native code editors all route extensions through Open VSX, and the GlassWorm/GlassWASM malware campaigns show the registry was outgrown before it was secured.

Cursor, Windsurf, Google’s Antigravity, AWS’s Kiro and Gitpod’s Ona are all built by forking Microsoft’s VS Code, inheriting its extension architecture but not the marketplace Microsoft built to police it, since licensing bars them from serving Microsoft’s own store. Instead, every one of them quietly points its users at the same alternative: Open VSX, a vendor-neutral registry maintained by the nonprofit Eclipse Foundation. That single dependency has just become the shared attack surface for the entire current wave of AI-native editors, and a malware campaign called GlassWorm, which resurfaced in June as the WebAssembly-obfuscated GlassWASM barely two weeks after a coordinated takedown, is the clearest evidence yet of what that concentration costs.

One registry now carries traffic it was never built for

Open VSX wasn’t designed as critical infrastructure. It was a modest, community-run alternative for VS Code-based tools that couldn’t touch Microsoft’s terms of service. Then the AI-IDE boom happened, and according to the Eclipse Foundation’s own announcement, the registry now handles more than 300 million downloads a month, with peak daily traffic exceeding 200 million requests across 12,000-plus extensions from 8,000-plus publishers. Eclipse Foundation executive director Mike Milinkovich named the cause directly, noting that “as AI-era usage drives exponential growth in traffic and operational complexity, commercial adopters require defined service levels.” Thomas Froment, writing on the Eclipse Foundation’s blog, put the shift in starker terms: “extension marketplaces have quietly become one of the most strategic control points in modern developer tooling,” and “the registry behind those extensions is no longer a secondary service. It is infrastructure.” That’s an unusual thing for a nonprofit-run registry to become by accident, but accident is more or less how it happened — nobody chose Open VSX as the trust layer for a multibillion-dollar wave of AI coding tools; the vendors just needed somewhere legal to point, and they all pointed at the same place.

Professionalizing under pressure is still professionalizing under pressure — it happened because GlassWorm forced the question, not because anyone budgeted for it in advance.

GlassWorm exploited exactly the vetting gap that growth created

The GlassWorm campaign showed what an underscanned registry at that scale looks like to an attacker. According to Socket’s research, sleeper extensions were planted in mid-March 2026 as apparently benign packages, then converted days later into extension packs that pulled in malicious dependencies, with clean-looking TypeScript source masking more than 620 lines of obfuscated JavaScript injected into the compiled output, commanded via a Solana wallet. Socket named Cursor and Windsurf explicitly among the editors exposed by consuming Open VSX. A coordinated takedown in late May by CrowdStrike, Google and the Shadowserver Foundation cut all four of the malware’s command-and-control channels, but the operation had adapted within weeks. As Security Point Break reported, the returning GlassWASM variant cloned two legitimate extensions wholesale, matching publisher IDs included, and compiled its payload to WebAssembly so that “no plaintext network indicators, URLs, or commands” existed anywhere in the binary, with every meaningful string encrypted using a ChaCha20 cipher. That is not the work of an opportunist; it is the work of someone who studied the registry’s blind spots and built specifically around them, again targeting VSCodium, Cursor, Windsurf and Gitpod.

A managed registry is real progress, not proof the gap was never there

The response since has been genuine rather than cosmetic. In April, the Eclipse Foundation launched an Open VSX Managed Registry with a 99.95% uptime commitment, pre-publish checks, and funding from the commercial adopters — Kiro, Antigravity, Cursor, Windsurf, IBM Bob and Ona among them — that had been relying on the free version for their user bases. Separately, Cursor, Windsurf and Google patched a “recommended extension” name-squatting flaw after responsible disclosure, closing off a technique where attackers registered extension names that VS Code forks recommended but that didn’t actually exist in Open VSX. It’s also fair to note, as some in the ecosystem have, that Microsoft’s own Marketplace has shipped malicious extensions for years, so this attack surface predates the AI-editor boom rather than being invented by it. But neither point erases the more specific failure: five well-funded companies built products on top of a nonprofit’s infrastructure, scaled their user base against it by orders of magnitude, and left the vetting question to be solved after the worm arrived rather than before. Professionalizing under pressure is still professionalizing under pressure — it happened because GlassWorm forced the question, not because anyone budgeted for it in advance.

The pattern echoes something playing out elsewhere in developer tooling, where a review system built for one era of software quietly stops applying to the next one well before anyone updates the guarantees users think they’re getting. Open VSX’s managed tier is a real fix, but it’s arriving as a retrofit, funded by the same companies that spent two years treating the registry as someone else’s problem while it absorbed their growth.