Attackers are conducting a sustained campaign to distribute malicious VS Code extensions through Open VSX that appear legitimate but contain self-propagating malware. This represents a supply chain attack targeting the developer community and the software they produce.