Creative Tooling

Open VSX Became AI Coding's Shared Weak Point

Cursor, Windsurf and nearly every AI code editor quietly download their add-ons from one small registry, Open VSX, and the GlassWorm malware shows it was outgrown before it was secured.

When you install an add-on in Cursor or Windsurf — a theme, a language pack, an AI helper — you trust that whatever lands in your editor is what its listing claims. Almost nobody asks where it came from. For nearly every AI-native code editor, the answer is the same address: Open VSX, a free, vendor-neutral registry run by the nonprofit Eclipse Foundation. Cursor, Windsurf, Google’s Antigravity, AWS’s Kiro and Gitpod’s Ona are all built on Microsoft’s VS Code, but licensing bars them from Microsoft’s own extension store — so each points its users elsewhere, and all landed on the same place. That shared dependency has quietly become the soft spot under the entire AI-coding wave, and a malware campaign called GlassWorm has spent the year proving it in public.

A side project is now load-bearing for the whole industry

Open VSX was never built to carry this. It began as a modest, community-run alternative for editors that couldn’t legally touch Microsoft’s store — a useful side project. Then the AI-editor boom hit. By the Eclipse Foundation’s own count, the registry now serves more than 300 million downloads a month, peaking past 200 million requests on its busiest days, across 12,000-plus extensions from 8,000-plus publishers. Eclipse executive director Mike Milinkovich tied the strain to AI-era growth and the service levels commercial adopters now demand. His colleague Thomas Froment put it more bluntly on the Eclipse blog: “the registry behind those extensions is no longer a secondary service. It is infrastructure.” Nobody chose a small nonprofit to be the trust layer for a multibillion-dollar industry. It happened by default, one vendor at a time, each needing somewhere legal to point.

GlassWorm walked straight through the gap the growth left open

An under-watched registry at that scale is a gift to an attacker, and GlassWorm unwrapped it. According to Socket’s research, the campaign planted “sleeper” add-ons in mid-March 2026 — packages that looked harmless the day you installed them and quietly turned days later, pulling in malicious code. The listing showed clean, readable source; the compiled version hid more than 620 lines of scrambled JavaScript, taking orders through a Solana crypto wallet rather than an ordinary server. Socket named Cursor and Windsurf outright among the exposed. A coordinated takedown in late May by CrowdStrike, Google and the Shadowserver Foundation cut all four of the malware’s command channels — and within weeks it was back. As Security Point Break reported, the returning GlassWASM version cloned two real extensions wholesale, publisher IDs and all, and hid its payload so well that “no plaintext network indicators, URLs, or commands” survived in the file. This is no smash-and-grab — it’s someone who studied its blind spots and built to fit them, and it runs inside your editor, with your reach into your code.

For two years the registry absorbed a boom's worth of growth as someone else's problem, and the fix arrived only once the worm made ignoring it impossible.

The fix is real — it just shows up two years late

To be fair, the response has been substantive, not cosmetic. In April the Eclipse Foundation launched an Open VSX Managed Registry with a 99.95% uptime commitment, pre-publish scanning, and — tellingly — funding from the very companies that had leaned on the free version: Kiro, Antigravity, Cursor, Windsurf, IBM Bob and Ona. Cursor, Windsurf and Google also patched a name-squatting flaw that let attackers claim extension names the editors recommended but that didn’t yet exist. And it’s fair to note that Microsoft’s own Marketplace has shipped malicious extensions for years, so none of this started with AI editors. But that doesn’t dissolve the specific miss: five well-funded companies scaled their whole user base on a nonprofit’s side project. For two years the registry absorbed a boom’s worth of growth as someone else’s problem, and the fix arrived only once the worm made ignoring it impossible.

It’s the same shape as a review system built for one era of software quietly aging out of the next: the guarantees people assume they’re getting expire long before anyone rewrites them. Open VSX’s managed tier is a genuine repair — just arriving as a retrofit, paid for by the companies that spent two years treating the registry as somebody else’s job.