The Eclipse Foundation, which maintains the open-source Open VSX project, announced that it has revoked a small number of tokens leaked within Visual Studio Code (VS Code) extensions published in the marketplace.
This action follows a report from cloud security company Wiz earlier this month. Wiz discovered several extensions from both Microsoft’s VS Code Marketplace and Open VSX that inadvertently exposed their access tokens within public repositories. As a result, malicious actors could have seized control and distributed malware, effectively poisoning the extension supply chain.
“Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions,” said Mikaël Barbero, head of security at the Eclipse Foundation. “These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure.”
To strengthen security, Open VSX introduced a new token prefix format, “ovsxp_“, in collaboration with the Microsoft Security Response Center (MSRC). This update makes it easier to scan for exposed tokens across public repositories.
In addition, the registry maintainers identified and removed all extensions recently flagged by Koi Security in a campaign called “GlassWorm.” They emphasized that the malware distributed through this activity was not a “self-replicating worm,” as it must first steal developer credentials before spreading further.
“We also believe that the reported download count of 35,800 overstates the actual number of affected users, as it includes inflated downloads generated by bots and visibility-boosting tactics used by the threat actors,” Barbero added.
Open VSX continues to implement new security measures to strengthen the software supply chain. These include:
- Reducing token lifetime limits by default to minimize the impact of accidental leaks
- Simplifying token revocation once a leak is reported
- Automating extension scans at publication to detect malicious code patterns or embedded secrets
These measures aim to improve the ecosystem’s cyber resilience at a time when software suppliers and developers face increasing attacks. Such incidents allow threat actors deep and persistent access to enterprise environments.
“Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities,” Barbero said.
Source: TheHackerNews
Read more at Impreza News
