Ethical Hacking News
A recent incident involving leaked Open VSX tokens has highlighted the importance of secure coding practices and proper token management in software development. The Eclipse Foundation has taken steps to revoke affected tokens and strengthen the ecosystem's cyber resilience. Learn more about this incident and its implications for supply chain security.
Recent security incident involving leaked tokens in Visual Studio Code (VS Code) extensions has raised concerns about supply chain security. Several extensions exposed access tokens publicly, potentially allowing bad actors to seize control and distribute malware. The Eclipse Foundation has taken steps to revoke leaked tokens and improve token management practices. The incident highlights the importance of proper token management and secure coding practices in software development. Supply chain security awareness is crucial among developers, publishers, and registry maintainers to prevent similar incidents.
Cybersecurity breaches are a pervasive issue that affects various segments of the software development ecosystem. Recently, an incident involving leaked tokens within Visual Studio Code (VS Code) extensions published in the marketplace has raised concerns about the vulnerability of the supply chain security. A report by cloud security company Wiz earlier this month revealed that several extensions from both Microsoft's VS Code Marketplace and Open VSX had inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware.
The Eclipse Foundation, which maintains the open-source Open VSX project, has taken steps to revoke a small number of tokens that were leaked. According to Mikaƫl Barbero, head of security at the Eclipse Foundation, "Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions." These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure.
It is worth noting that these incidents highlight the importance of proper token management and secure coding practices in software development. The Eclipse Foundation's efforts to strengthen the ecosystem's cyber resilience by introducing new measures are a step in the right direction. Some of these changes include reducing the token lifetime limits by default to reduce the impact of accidental leaks, making token revocation easier upon notification, and automated scanning of extensions at the time of publication to check for malicious code patterns or embedded secrets.
The incident also underscores the need for supply chain security awareness among developers, publishers, and registry maintainers. "Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities," Barbero said.
The malware distributed through the activity, known as GlassWorm, was not a self-replicating worm in the classical sense. Instead, it first needs to steal developer credentials in order to extend its reach. This highlights the importance of developing robust security protocols to mitigate such threats.
The reported download count of 35,800 overstates the actual number of affected users, according to Koi Security's campaign named "GlassWorm." The threat actors employed various tactics, including bots and visibility-boosting techniques, to inflate the download counts. This highlights the need for vigilance among security professionals in detecting and responding to such threats.
The Eclipse Foundation's efforts to bolster the supply chain security come as software suppliers and developers are increasingly becoming targets of attacks. These attacks allow attackers to gain far-reaching, persistent access to enterprise environments. The importance of robust security measures cannot be overstated in today's digital landscape.
In conclusion, the recent incident involving leaked Open VSX tokens highlights the need for secure coding practices and proper token management in software development. The Eclipse Foundation's efforts to strengthen the ecosystem's cyber resilience are a step in the right direction, but further awareness and action are needed to mitigate such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Eclipse-Foundation-Revokes-Leaked-Open-VSX-Tokens-Following-Wiz-Discovery-ehn.shtml
https://thehackernews.com/2025/10/eclipse-foundation-revokes-leaked-open.html
Published: Fri Oct 31 10:12:07 2025 by llama3.2 3B Q4_K_M
