Token Leak: Eclipse Revokes Exposed Keys to Halt Open VSX Supply Chain Attacks
The Eclipse Foundation has revoked several compromised access tokens associated with publishing extensions to the open Open VSX repository. The investigation was prompted by a report from Wiz, a company specializing in cloud security. In early October, Wiz researchers discovered that certain Visual Studio Code extensions, hosted both in Microsoft’s official marketplace and in Open VSX, had inadvertently committed active production tokens within their repositories. Such leaks pose a serious risk, as they could allow unauthorized actors to tamper with source code, replace legitimate extension content, and distribute malicious updates.
According to the Head of Security at the Eclipse Foundation, the compromised keys were found in several isolated repositories. The leaks, however, resulted from developer oversight and were not linked to any vulnerabilities in the Open VSX infrastructure. Upon review, the team confirmed that the exposed tokens could have been used to publish counterfeit versions or introduce unwanted modifications to existing extensions.
To mitigate the risk of similar incidents, Open VSX, in collaboration with the Microsoft Security Response Center (MSRC), has implemented a new token prefixing system. All newly issued keys now begin with the prefix “ovsxp_”, simplifying their detection during automated scans. Additionally, the key management process has been refined: token validity periods are now limited by default, and the revocation procedure has been streamlined to enable faster response in the event of a compromise.
The team has also removed from the registry all extensions mentioned in Koi Security’s GlassWorm campaign report. Despite the name, the campaign does not involve a traditional self-propagating computer worm. Instead, the spread of malicious code requires attackers to obtain valid developer credentials, which prevents automatic infection. Representatives from the Eclipse Foundation emphasized that the actual number of affected users is significantly lower than the reported 35,800 downloads, as many of those were bot-generated and artificially inflated by threat actors.
In addition to these measures, Open VSX plans to expand its automated pre-publication review process. The enhanced checks will include scans for malicious patterns and leaked secrets within submitted extensions. These initiatives aim to strengthen the resilience of the ecosystem and minimize risks for developers and organizations that rely on third-party extensions.
The Foundation further underscored that the security of the software supply chain depends on collective responsibility: authors must safeguard their credentials, while administrators must respond promptly to any emerging incidents.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
