Editor pluginOpen VSX
Open VSX extensions, the same depth as VS Code.
Open VSX is the open registry behind VSCodium, Cursor, and Gitpod - reviewed less than the Microsoft Marketplace, so a poisoned extension slips in more easily. Extuno scans the .vsix with the full VS Code pipeline: static, dynamic, and AI analysis on every scan.
Open VSX - live inspectionInspecting
Prettier 10.4
open vsx extension
10.3->10.4open vsx extension
Static
Dynamic
AI
Analyzing update
What Extuno catches in Open VSX
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
Workspace token theft
The extension reads a token from the workspace and sends it to an unlisted host.
Critical
Diff finding
Broad activation
It activates on every workspace, not a specific language or file.
Review
Diff finding
Shell on activation
A child process runs at activation time with no user action.
Critical
See it on a poisoned update
Less review, same attack surface
Extuno runs the Open VSX .vsix live in a segmented micro-VM and records the shell and the beacon.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the code without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
- 1Extension installs from Open VSX
- 2Reads workspace files on activation
- 3Spawns a shell task
- 4Exfiltrates a token to a remote host
Scan your first Open VSX plugin free.
Your first 5 credits are free - that is 5 full scans, no card required.