About 2 hours ago, we detected another three extensions on Open VSX that have been compromised by the threat actor we’ve been documenting since March, using non-printable characters. Last week, we identified that they had also started compromising GitHub repositories. Today, we are observing another wave of attacks against legitimate Open VSX extensions.
The three we’ve identified at the time of writing are:
- adhamu/history-in-sublime-merge@1.3.4 (4k downloads)
- yasuyuky/transient-emacs@0.23.1 (2.4k downloads)
- ai-driven-dev/ai-driven-dev@0.4.11 (3.3k downloads)
At this time, we've notified Open VSX about our discovery, and are attempting to contact the maintainers as well.
Open VSX October 27th update
This wave comes after a security update published by Open VSX (Eclipse Foundation) on October 27th, acknowledging the attacks that occurred, and outlining the defenses they are planning to put in place:
https://blogs.eclipse.org/post/mika%C3%ABl-barbero/open-vsx-security-update-october-2025
At the time, they believed that the incident was fully contained. However, today's events suggest this is still an ongoing situation we haven’t seen the end of yet, unfortunately.
Even as we see another wave of this attack, we commend Open VSX for the actions they plan to take. Especially the Automated Scanning of extensions at publication is big, since this is also what we do here at Aikido. However, we cannot scan extensions before they are published. If implemented correctly, this will protect against many attacks in the ecosystem. We applaud this initiative that the Eclipse Foundation is showing.
An ongoing saga
It’s difficult to defend against something you can’t see, as is the case with this specific attack. But from the very start, we’ve been tracking this threat actor since March, and have done extensive coverage of it. Our previous publications and technical information continues to be relevant, and we will continue to post more information if/as things evolve.
https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas
https://x.com/AikidoSecurity/status/1979207669044122111
