I need an effective way to debug Unity projects …
Couldn’t agree more. This is a serious security issue and should be fixed as soon as possible. E.g malware / credentials grabber. Which one would you add (the one with 2M is the malware).
6 Likes
This is frustrating. Can’t find many of favorite extensions
4 Likes
This was a strategic error : this strange marketplace is not even close to the industry’s security standards. Moreover, many many extensions are missing and porting them from VS Code makes it impossible to receive updates automatically. Switching client side and choosing a marketplace could be an alternative but how to do it?
Recent Malicious Extensions Statistics (from Koi Security research):
-
1,283 extensions with known malicious dependencies (229M installs)
-
267 extensions with hardcoded secrets
-
145 extensions flagged by VirusTotal
-
1,452 extensions running unknown binaries
ADDITIONAL RISK FACTOR: Lack of CVE Documentation
- OpenVSX critical vulnerabilities (VSXPloit, namespace hijacking) have NO CVE numbers
- This indicates poor vulnerability management practices by maintainers
- Organizations cannot properly track/assess OpenVSX security risks
- No standardized way to reference these vulnerabilities in security tools
OpenVSX integration represents a critical risk vector requiring immediate attention
4 Likes
Just tried, here are the settings:
"extensions.gallery.serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
"extensions.gallery.itemUrl": "https://marketplace.visualstudio.com/items",
You can find a related setting in the User interface as well:
Also tried with these settings a bit more advanced:
"extensions.gallery.serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
"extensions.gallery.itemUrl": "https://marketplace.visualstudio.com/items",
"extensions.gallery.searchUrl": "https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery",
"extensions.gallery.publisherUrl": "https://marketplace.visualstudio.com/publishers",
"extensions.autoCheckUpdates": true,
"extensions.autoUpdate": false
Both don’t seem to work. The loading bar gets stuck, pointing to a failing authentication with Microsoft. Maybe it’s not allowed from ToS perspective?
Are we doing something wrong?
If this is not fixed we are likely to quit Cursor (with a heavy heart as we all love it) as we rely on many extensions that are not available in OpenVSX and not maintained extensions is not an option when you work in an industry in which you have monthly impactful updates in interdependent applications.
3 Likes
Blog post for reference: Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork; Putting Millions at Risk | by Oren Yomtov | Jun, 2025 | Koi Security
They developed an extension that scores your installed extensions(for known issues): ExtensionTotal Security - Visual Studio Marketplace
2 Likes
Hey, this will be fixed in the next version.
1 Like
Great news
Bun extension not on latest version (0.0.29) released ~5 hours ago and the marketplace link shows a 404 Open VSX Registry
EDIT: Seems to be available as of 2025-08-05 and the link no longer 404’s
Hi @deanrie, are there updates here?
1 Like
Thank you, that was really helpful!
Hi! hope you’re doing well. in my opinion this was a bad decision. won’t dig deeper on why, other have mentioned already.
but for example, this extension vscode-stylelint has been updated 4 days ago and open-vsx version has not been updated yet. four days! and we’re stuck. it’s an important patch & extension is not working for us rn.