VSCodium
VSCodium is a community-driven distribution of Microsoft's VS Code editor, built from the same MIT-licensed source code but without Microsoft's proprietary branding, telemetry, and licensing. The project uses automated build scripts to clone Microsoft's VS Code repository, strip telemetry endpoints and tracking configuration, and produce freely-licensed binaries. VSCodium uses the Open VSX Registry for extensions instead of Microsoft's proprietary Marketplace. The project is maintained by volunteer contributors, funded through community donations, and distributed under the MIT license. It provides the same core editing experience as VS Code while respecting user privacy.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
VSCodium was created as a grassroots response to Microsoft distributing VS Code under a proprietary license with telemetry, despite the source code being MIT-licensed. The project began with minimal infrastructure and a small group of volunteers building automated pipelines to produce telemetry-free binaries. At this stage the project had near-zero enshittification concerns, with the only structural risk being reliance on unpaid volunteer labor.
VSCodium switched its extension registry from Microsoft's proprietary Marketplace to the newly created Open VSX Registry, resolving the legal ambiguity of accessing Microsoft's restricted marketplace but introducing an extension availability gap. Open VSX launched with only 218 extensions compared to thousands on the Microsoft Marketplace. This trade-off was necessary but created the project's primary user-facing limitation.
Microsoft began actively enforcing marketplace restrictions through technical blocks in proprietary extensions like Pylance and C/C++, widening the feature gap between VS Code and its forks. The Open VSX ecosystem grew significantly but still lacked parity with Microsoft's Marketplace, and the registry faced infrastructure fragility including a near-decommission in 2023. These externally imposed constraints increased switching friction for users considering VSCodium.
A series of supply chain security incidents in the Open VSX ecosystem raised the D10 score. CVE-2025-6705 exposed a critical vulnerability in the registry's publication process, leaked developer tokens enabled the GlassWorm malware campaign across 72+ extensions, and researchers found VS Code forks recommending non-existent extensions that could be weaponized. The Eclipse Foundation responded with pre-publish security scanning and registry-level safeguards, but the incidents revealed inherent risks in VSCodium's dependence on third-party extension infrastructure.
Alternatives
Modern, high-performance code editor built in Rust with native collaboration features. Open source under GPL/AGPL licenses. Faster than VS Code/VSCodium for large projects. Growing extension ecosystem but far smaller than VS Code's. Good choice for developers who want speed and a fresh start from the VS Code ecosystem.
The upstream editor VSCodium is built from — same MIT-licensed source code but with Microsoft's branding, telemetry, and proprietary licensing. Full access to Microsoft's Extension Marketplace gives it the widest extension ecosystem of any editor. Choose VS Code if extension availability matters more than telemetry concerns. Trivial switch — same settings and config format.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (31 events)
Microsoft Open-Sources VS Code Under MIT License
Microsoft released the source code of Visual Studio Code under the MIT license on GitHub. However, the distributed binary remained under Microsoft's proprietary license with telemetry enabled, creating the gap that would later motivate VSCodium's creation.
VSCodium Repository Created on GitHub
The VSCodium project was created on GitHub by developer stripedpajamas with the goal of producing freely-licensed binary releases of VS Code without Microsoft's proprietary branding, telemetry, and licensing. Build scripts automated the process of cloning Microsoft's vscode repo and producing MIT-licensed binaries.
VSCodium Gains Early Hacker News Attention
VSCodium appeared on Hacker News within weeks of its creation, sparking discussion among privacy-conscious developers about Microsoft's telemetry practices in VS Code. The post helped drive early adoption of the project among Linux and FOSS communities.
Parrot OS 4.4 Includes VSCodium as Default Editor
Parrot Security OS version 4.4 adopted VSCodium as its default advanced code editor, replacing Atom. This marked VSCodium's first inclusion in a Linux distribution, validating the project's privacy-first approach. Parrot OS noted VSCodium was lighter than both Atom and VS Code.
First Stable VSCodium Release Published
VSCodium version 1.30.1 was published as the first stable release on GitHub, providing pre-built binaries for Windows, macOS, and Linux. The release followed VS Code's versioning scheme, establishing the automated build pipeline that would keep VSCodium in sync with upstream.
Visual Studio Magazine Profiles VSCodium Privacy Stance
Visual Studio Magazine published 'Worried About Privacy? VSCodium Strips Microsoft Telemetry from VS Code, with FOSS License,' bringing mainstream developer media attention to the project. The article highlighted the distinction between VS Code's MIT-licensed source and its proprietary distributed binary.
VSCodium Renames Binary to Codium
A community discussion proposed renaming VSCodium's binary from 'vscodium' to 'codium' to distance the project from Microsoft's 'Visual Studio' branding. The change was implemented in the .deb package and other distribution channels, though the project retained 'VSCodium' as its public-facing name.
Open VSX Registry Launches as Marketplace Alternative
TypeFox launched the Open VSX Registry at open-vsx.org as a vendor-neutral, open-source alternative to Microsoft's Visual Studio Marketplace. The registry provided an API compatible with VS Code's marketplace protocol, enabling non-Microsoft editors to access extensions without violating Microsoft's terms of use.
VSCodium Integrates Open VSX as Default Extension Registry
Pull request #404 merged, switching VSCodium's extension gallery from Microsoft's Marketplace to Open VSX Registry. At the time, Open VSX contained only 218 extensions compared to the Marketplace's thousands. The change resolved the legal ambiguity of VSCodium accessing Microsoft's restricted Marketplace.
Eclipse Foundation Assumes Open VSX Registry Management
TypeFox transferred management of the Open VSX Registry to the Eclipse Foundation under the Eclipse Cloud Development Tools Working Group. The move provided institutional backing and governance structure for the registry that VSCodium and other VS Code forks relied on for extensions.
VS Code Releases Native Apple Silicon Builds
Microsoft released VS Code v1.54 with native Apple Silicon (M1) support. VSCodium's volunteer maintainers worked to provide corresponding ARM builds, though with some delay. Community members offered to sponsor M1 build infrastructure to help close the gap.
Microsoft Replaces Open-Source Python Server with Proprietary Pylance
Microsoft deprecated the open-source Microsoft Python Language Server in VS Code, replacing it with the proprietary Pylance extension. Pylance was blocked from running in VS Code forks like VSCodium through environment checks, forcing fork users to rely on the open-source Jedi language server instead.
VS Code Deprecates Telemetry Opt-Out in Favor of New Setting
VS Code version 1.61 deprecated the telemetry.enableTelemetry setting, replacing it with telemetry.telemetryLevel which defaulted to 'on.' Users who had previously disabled telemetry found their settings ignored, reinforcing VSCodium's value proposition of telemetry stripped at the build level rather than dependent on user configuration.
Microsoft Kills Open-Source Python Language Server Entirely
The November 2021 Python extension release officially ended support for the open-source Microsoft Python Language Server, automatically migrating remaining users to proprietary Pylance. VSCodium users were unable to use Pylance due to its proprietary license and environment checks, widening the extension feature gap.
Blog Post Exposes VS Code Licensing Dual-License Structure
A widely-shared blog post titled 'Visual Studio Code May Not Be As Open Source As You Think' detailed how Microsoft builds VS Code from MIT-licensed source but distributes it under a proprietary license with telemetry. The article highlighted VSCodium as the FLOSS alternative, driving additional users to the project.
Eclipse Foundation Threatens to Decommission Open VSX
The Eclipse Foundation announced it would be forced to decommission the Open VSX Registry by the end of May 2023 if sustainable funding could not be secured. The threat highlighted the fragility of the extension infrastructure that VSCodium and other VS Code forks depended on.
Open VSX Working Group Formed, Saving Registry from Closure
The Eclipse Foundation announced the formation of the Open VSX Working Group with founding members Google, Huawei, Posit, Salesforce, Siemens, and STMicroelectronics. The working group provided sustainable governance and funding for the registry, resolving the decommission threat. At the time, Open VSX hosted nearly 3,000 extensions from over 1,500 publishers.
VSCodium Receives Drips FOSS Funding
The Radworks project donated funds to VSCodium through Drips, a FOSS funding initiative. Radworks identified VSCodium as one of their most critical dependencies. This represented one of the few external funding sources for the volunteer-maintained project.
VSCodium macOS Build Rejected by Gatekeeper
VSCodium version 1.85.2 was rejected by macOS Gatekeeper due to an unnotarized Developer ID, preventing users from running the app without manual security overrides. The incident highlighted the challenge volunteer projects face in maintaining Apple's code-signing requirements across release cycles.
VSCodium Downloads Domain SSL Certificate Invalid
The SSL certificate for downloads.vscodium.com was signed by an untrusted certificate authority, causing ERR_CERT_AUTHORITY_INVALID errors for users attempting to download or update VSCodium. The issue did not affect VS Code, highlighting infrastructure reliability gaps in the volunteer-maintained project.
Microsoft Blocks C/C++ Extension from Running in VS Code Forks
Microsoft released C/C++ extension v1.24.5 with an embedded environment check that prevented it from running in non-Microsoft editors including VSCodium and Cursor. This was the first time Microsoft actively enforced its marketplace terms through technical blocks in a major extension's binary, displaying an error message denying use outside sanctioned Microsoft products.
Open VSX Registry Suffers 24-Hour Outage
The Open VSX Registry experienced a major outage lasting approximately 24 hours, leaving VSCodium and all VS Code fork users unable to install or update extensions. The incident highlighted the single-point-of-failure risk in the extension supply chain for non-Microsoft editors.
Critical Vulnerability Found in Open VSX Publication Process
Koi Security researchers reported CVE-2025-6705 to the Eclipse Foundation: a vulnerability in Open VSX's automated publishing system that could allow unauthorized extension uploads due to missing sandboxing of CI job runs. The fix was deployed on June 24, and 81 extensions were proactively deactivated as a precaution.
Microsoft Announces Plan to Open-Source Copilot Chat Extension
Microsoft announced it would open-source the GitHub Copilot Chat extension under the MIT license, marking a step toward making VS Code a more transparent AI editor. The move was driven by demand for transparency in AI-assisted developer tools and could benefit VSCodium if AI features become available in the open-source codebase.
Eclipse Foundation Revokes Leaked Open VSX Tokens
Following a report from Wiz identifying extension publishing tokens inadvertently exposed in public repositories, the Eclipse Foundation revoked all affected tokens. A small number of malicious extensions had been published using the leaked credentials. The incident was declared fully contained on October 21, 2025.
AWS Invests in Strengthening Open VSX Infrastructure
Amazon Web Services made a strategic investment to strengthen the reliability, performance, and security of the Eclipse Foundation's infrastructure including the Open VSX Registry. The investment supported the transition to a hybrid multi-region architecture with AWS in Europe as primary and on-premises in Canada as secondary.
VS Code Forks Found Recommending Missing Extensions as Supply Chain Risk
Researchers discovered that VS Code forks including Cursor, Windsurf, and Google Antigravity inherited recommended extension lists from Microsoft's marketplace, but those extensions did not exist in Open VSX. Bad actors could register the unclaimed namespaces and publish malicious packages. Cursor, Windsurf, and Google rolled out fixes, and the Eclipse Foundation enforced registry-level safeguards.
GlassWorm Malware Compromises Open VSX Developer Account
Four established Open VSX extensions published by a legitimate developer had malicious versions published after the developer's account was compromised by the GlassWorm malware campaign. The attack used a compromised account rather than creating new packages, making detection more difficult.
Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX
The Eclipse Foundation announced mandatory pre-publication security scanning for Open VSX extensions, shifting from a reactive to proactive security model. The staged rollout used February 2026 for monitoring without blocking, with enforcement and quarantine beginning March 2026.
Open VSX Surpasses 300 Million Monthly Downloads
The Eclipse Foundation announced the Open VSX Registry surpassed 300 million monthly downloads with over 10,000 extensions from 6,500+ publishers. The registry now powers developer platforms including VSCodium, Cursor, Windsurf, Amazon Kiro, and Google Antigravity, establishing it as critical developer infrastructure.
GlassWorm Campaign Expands to 72 Malicious Open VSX Extensions
The Socket Research Team identified at least 72 additional malicious Open VSX extensions linked to the GlassWorm campaign, targeting developers with credential-stealing malware disguised as linters, formatters, and AI coding tools. The malware used invisible Unicode characters to hide payloads and abused extensionPack manifest fields for transitive dependencies.