If you run part of the software supply chain ecosystem, put it on the web without any kind of "alpha" or "insecure" language that's highly visible to end users on every package, and even distribute professional white papers and marketing-style landing pages to promote it (e.g. https://outreach.eclipse.foundation/openvsx), but create a deployment architecture that executes arbitrary third party code during every deploy (as was the case before https://github.com/EclipseFdn/publish-extensions/pull/881/fi... landed to fix the issue in the link above) - I do indeed think that the Eclipse Foundation bears some responsibility here.
And for sure, Cursor and others should have funded security hardening of their extension marketplace. The lion's share of the blame lies on that. But the Eclipse Foundation is in a position to incentivize that investment by making it clear to end users that open-vsx is still at an experimental level of stability and security, rather than promoting it as an enterprise-ready product with white papers and all.
There are companies that will provide quality guarantees and product liability insurance for open source software (I work for one in fact), so maybe Cursor should have used one of those.
And for sure, Cursor and others should have funded security hardening of their extension marketplace. The lion's share of the blame lies on that. But the Eclipse Foundation is in a position to incentivize that investment by making it clear to end users that open-vsx is still at an experimental level of stability and security, rather than promoting it as an enterprise-ready product with white papers and all.