Swift lands on Open VSX — risk follows

Swift just got easier to use outside Apple’s own tools, and that change arrived the same week researchers were warning that Open VSX had been used to spread GlassWorm malware through Visual Studio Code-style extensions. The two stories fit together because the same registry that makes Swift easier to install in Cursor or VSCodium also becomes part of the trust chain for those editors. (infoworld.com) (thehackernews.com) Swift is Apple’s programming language, and the Visual Studio Code extension is the add-on that gives an editor basics like code completion, refactoring, debugging, tests, and documentation support. Microsoft’s own documentation says the extension leans on SourceKit Language Server Protocol, which is the background service that reads your code and feeds the editor smart suggestions. (code.visualstudio.com) (infoworld.com) Until now, that Swift workflow mostly pointed people toward Microsoft’s Visual Studio Marketplace, but Open VSX is a separate catalog run by the Eclipse Foundation for editors that speak the same extension format. Open VSX calls itself a vendor-neutral alternative to the Visual Studio Marketplace, and it is already wired into tools such as VSCodium and Eclipse Theia. (open-vsx.org) (eclipse.org) That is why this publication matters: the official Swift extension can now be pulled into compatible editors including Cursor, VSCodium, Kiro, and Antigravity, instead of living only in Microsoft’s store. InfoWorld reported on April 10, 2026 that agentic editors such as Cursor and Antigravity can automatically install Swift from Open VSX with no manual download step. (infoworld.com) There is one catch built into the tool itself. Apple’s Swift extension works best with Swift Package Manager projects, which are the projects organized around a `Package.swift` file, while support for traditional Xcode project files is limited. (infoworld.com) (code.visualstudio.com) At the same time, Open VSX has been dealing with the exact problem that scares developers most in extension marketplaces: a tool that looks helpful but arrives poisoned. The Hacker News reported on March 14, 2026 that researchers found at least 72 additional malicious Open VSX extensions tied to the GlassWorm campaign since January 31, 2026. (thehackernews.com) GlassWorm’s trick is not just hiding bad code inside one extension. Researchers said the attackers abused `extensionPack` and `extensionDependencies`, which are package fields that tell an editor to install other extensions too, so one seemingly harmless add-on could quietly pull in a second malicious one later. (thehackernews.com) That turns an extension store into something closer to an app store with invisible subcontractors. A developer may think they approved one formatter, linter, or coding assistant helper, while the editor follows dependency instructions and installs extra code from the same ecosystem. (thehackernews.com) Open VSX’s own operators have acknowledged that the old model was too reactive for a growing registry. In a recent Alpha-Omega post, the project said it had relied mainly on post-publication investigation and takedown, and is now adding pre-publish checks aimed at impersonation, exposed secrets, known malicious patterns, and quarantine for suspicious uploads. (alpha-omega.dev) The Eclipse Foundation already requires publishers to sign an Open VSX Publisher Agreement and publish under a license, but paperwork is not the same thing as proving every update is safe. That gap is what makes the Swift-on-Open-VSX moment feel bigger than a simple editor compatibility update: convenience is expanding faster than trust tooling. (eclipse.org) (alpha-omega.dev) For Swift developers, the practical change is clear. If you want Apple’s language features in non-Apple editors, Open VSX now gives you a cleaner path to get them, but every extension install and every automatic dependency now deserves the same suspicion developers already apply to random packages in Node Package Manager or Python Package Index. (infoworld.com) (thehackernews.com)