AI is redefining software quality and security. Insights from 450 CISOs & devs →
Aikido
Start for Free
No CC required
Blog
/
Vulnerabilities & Threats

Invisible Unicode Malware Strikes OpenVSX, Again

Charlie EriksenCharlie Eriksen
|
#intel
#Malware
Published on:
November 6, 2025
Last updated on:
November 6, 2025

About 2 hours ago, we detected another three extensions on Open VSX that have been compromised by the threat actor we’ve been documenting since March, using non-printable characters. Last week, we identified that they had also started compromising GitHub repositories. Today, we are observing another wave of attacks against legitimate Open VSX extensions. 

The three we’ve identified at the time of writing are:

At this time, we've notified Open VSX about our discovery, and are attempting to contact the maintainers as well.

Open VSX October 27th update

This wave comes after a security update published by Open VSX (Eclipse Foundation) on October 27th, acknowledging the attacks that occurred, and outlining the defenses they are planning to put in place:

https://blogs.eclipse.org/post/mika%C3%ABl-barbero/open-vsx-security-update-october-2025

At the time, they believed that the incident was fully contained. However, today's events suggest this is still an ongoing situation we haven’t seen the end of yet, unfortunately. 

Even as we see another wave of this attack, we commend Open VSX for the actions they plan to take. Especially the Automated Scanning of extensions at publication is big, since this is also what we do here at Aikido. However, we cannot scan extensions before they are published. If implemented correctly, this will protect against many attacks in the ecosystem. We applaud this initiative that the Eclipse Foundation is showing. 

An ongoing saga

It’s difficult to defend against something you can’t see, as is the case with this specific attack. But from the very start, we’ve been tracking this threat actor since March, and have done extensive coverage of it. Our previous publications and technical information continues to be relevant, and we will continue to post more information if/as things evolve.

https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas

https://x.com/AikidoSecurity/status/1979207669044122111

https://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties

Written by
Charlie Eriksen

Malware Researcher

Charlie Eriksen is a Security Researcher at Aikido Security, with extensive experience across IT security - including in product and leadership roles. He is the founder of jswzl and he previously worked at Secure Code Warrior as a security researcher and co-founded Adversary.

Jump to:
Text Link

Secure your software now

Start for Free
No CC required
Start for Free
No CC required
Book a demo
Share:

https://www.aikido.dev/blog/invisible-unicode-malware-strikes-openvsx-again

Similar Posts
September 24, 2025

Allseek and Haicker are joining Aikido: Building Autonomous AI Pentesting

Allseek and Haicker join Aikido to launch Aikido Attack, autonomous pentests that think like hackers and run in hours instead of weeks.

Tags/
September 8, 2025

AutoTriage Integration in IDE

Aikido's IDE plugin can detect vulnerable code, and AutoTriage can help you ro priotiize what to fix

Tags/
September 2, 2025

Aikido for Students and Educators

Aikido for Education offers students hands-on cybersecurity training with real-world security tools, free for all educators.

Tags/

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.

#intel

#Malware