Ethical Hacking News
Open VSX has been targeted by a malware attack using leaked access tokens. The incident highlights the need for effective security in the supply chain, as threat actors can quickly exploit vulnerabilities with minimal exposure. In response to this incident, Open VSX is implementing several security enhancements to prevent similar attacks in the future.
The Open VSX registry was exploited by threat actors who took advantage of an accidental leak of access tokens. A public repository containing over 550 secrets across Microsoft VSCode and Open VSX marketplaces was discovered, used to publish malicious extensions known as the 'GlassWorm' malware campaign. The attackers used self-spreading malware hidden within invisible Unicode characters to steal developer credentials and target cryptocurrency wallet projects. Open VSX has announced several security enhancements to mitigate such risks in the future, including token lifetime shortening, faster revocation workflows, automated security scans, and threat intelligence sharing.
In a recent and alarming incident, the Open VSX registry was exploited by threat actors who took advantage of an accidental leak of access tokens, which resulted in the creation of malicious extensions. This attack highlights the importance of robust security measures in the supply chain and demonstrates how quickly vulnerabilities can be exploited when not adequately addressed.
On October 30, 2025, researchers from Wiz discovered a public repository containing over 550 secrets across Microsoft VSCode and Open VSX marketplaces. The leaked tokens were used by malicious actors to publish malicious extensions in what has been termed as the 'GlassWorm' malware campaign. This development highlights the potential risks associated with relying on supply chains without adequate security measures.
A few days after the leak was reported, Koi Security researchers observed that the GlassWorm malware deployed a self-spreading malware hidden within invisible Unicode characters. The attackers used this malicious extension to steal developer credentials and target 49 cryptocurrency wallet projects. It appears that the primary motive behind the attack was financial gain, as the attackers sought to exploit vulnerable users for their own financial benefit.
The Open VSX team and the Eclipse Foundation issued a blog post explaining the nature of the GlassWorm malware campaign. According to the team, the malicious code in question was designed primarily to steal developer credentials, which could subsequently be used by the attackers to extend their reach across various projects. However, it is stated that the malware did not autonomously propagate through systems or user machines.
Notably, the threat actors behind GlassWorm were found to have quickly moved to GitHub upon discovery of the initial leak in the Open VSX registry. They employed a similar Unicode steganography technique to hide their malicious payload within JavaScript projects on GitHub. As of October 31, multiple repositories focused on JavaScript projects had already been affected by this operation.
The successful rotation through various open-source ecosystems underscores the ongoing nature of the threat and its potential for further spread. In order to mitigate such risks in the future, Open VSX has announced several security enhancements:
1. Shortening token lifetimes will reduce exposure impact.
2. Introducing faster revocation workflows for leaked credentials.
3. Performing automated security scans for extensions during publication.
4. Collaborating with VS Code and other marketplaces to share threat intelligence.
It is essential that developers, researchers, and organizations implement robust security measures when managing supply chains to prevent vulnerabilities from being exploited by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Vulnerability-That-Wasnt-Unraveling-the-Supply-Chain-Malware-Attack-on-Open-VSX-ehn.shtml
https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/
Published: Sun Nov 2 17:51:26 2025 by llama3.2 3B Q4_K_M
