Skip to main content

On This Page
← AI News
AI News Cyber Security Open Source

Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Eclipse Foundation Addresses Leaked Tokens in Open VSX Registry

The Eclipse Foundation, which oversees the Open VSX registry for Visual Studio Code (VS Code) extensions, has revoked a limited number of access tokens exposed in public repositories. This action follows a report by cloud security firm Wiz, which identified vulnerabilities in extensions from both Microsoft’s VS Code Marketplace and Open VSX. The leaked tokens could have allowed malicious actors to publish or modify extensions, compromising the extension supply chain.

Key Security Measures Implemented

  • Token Revocation and Prefixing

    • A small number of leaked tokens were revoked after confirmation of potential abuse.
    • Introduced a token prefix format “ovsxp_” to simplify detection of exposed tokens in public repositories.

  • Supply Chain Security Enhancements

    • Reduced Token Lifetimes: Default token expiration limits tightened to minimize damage from accidental leaks.
    • Improved Token Revocation: Streamlined process for revoking tokens upon notification.
    • Automated Extension Scanning: Extensions are now automatically checked for malicious code patterns or embedded secrets during publication.

Response to the “GlassWorm” Campaign

  • Malware Removal: Extensions flagged by Koi Security as part of the “GlassWorm” campaign were removed.
    • The malware required stolen developer credentials to propagate, disqualifying it as a self-replicating worm.
    • Reported download count of 35,800 was likely inflated by bot traffic and visibility-boosting tactics.

Broader Implications for Supply Chain Security

  • Developer Responsibility: Emphasis on careful token management by extension publishers.
  • Registry Improvements: Enhanced detection and response capabilities by registry maintainers.
  • Industry Context: Growing targeting of software suppliers and developers, enabling persistent access to enterprise environments.

Reference

Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery

Continue reading

Next article

Configuration Management as a Strategic Asset for Enterprise IT

Related Content

Feb 4, 2026

Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

Eclipse Foundation to require pre-publish security checks for Open VSX extensions to reduce VS Code supply-chain risk by up to 90%.

Read article
May 7, 2026

Beyond Feature Delivery: How Open Source Redefines Software Engineering Mindsets

Open source contributor Tarunya Kesharwani details how GSoC participation and PR reviews shift engineering focus from basic feature completion to long-term maintainability, highlighting that professional software engineering requires balancing immediate functionality with architectural scalability and collaborative code standards across diverse technology stacks.

Read article
May 29, 2026

MindMapVault: Enhancing Privacy Trust through Open Source Self-Hosting

Kornel Maraz releases MindMapVault as FOSS to enable public verification of privacy boundaries for home lab users.

Read article