Eclipse Foundation Revokes Leaked Open VSX Tokens After Wiz Uncovers Security Risk

The Eclipse Foundation has announced that it has revoked a small number of access tokens used in its Open VSX Registry after a security firm discovered they had been leaked. These tokens were used by developers to publish or update extensions, and if misused, they could have allowed attackers to upload malicious versions. The Foundation said the action was taken immediately to prevent any potential security issues.

The discovery came from cybersecurity company Wiz, which found that several developer tokens for VS Code and Open VSX extensions had accidentally been exposed in public code repositories. These tokens are sensitive credentials that can give full publishing rights to anyone who holds them. Wiz’s research showed that such leaks could pose a major supply chain risk by allowing attackers to push fake or harmful updates directly to users.

According to the Eclipse Foundation, the issue did not come from a direct breach of Open VSX systems. Instead, the tokens were leaked because some developers mistakenly committed them to public repositories. Once the leaks were identified, Eclipse quickly revoked the affected tokens and began working with extension maintainers to secure their accounts and publishing workflows.

As a preventive step, the Open VSX team has introduced a new token prefix format to make it easier to detect exposed tokens in public code. This change helps automated scanners and security tools identify any future leaks before they can be exploited. The registry team has also advised developers to follow best practices for handling access tokens and to rotate them regularly.

Security experts warned that leaked tokens could allow attackers to publish malicious extensions or replace existing ones with compromised versions. In some cases, these fake extensions can automatically update on user systems, giving hackers a path to spread malware or steal sensitive data. The incident highlights how small mistakes by individual developers can have large consequences for software users around the world.

Reports also mentioned a campaign known as “GlassWorm,” where attackers used some of these leaked tokens to upload harmful extensions. These were quickly identified and removed from the platform. Although the number of affected tokens was small, the event demonstrated the ongoing risks associated with software supply chains and third-party extensions.

The Eclipse Foundation confirmed that the situation is now under control. All known leaked tokens have been revoked, and there is no sign of active malicious extensions remaining in the Open VSX registry. The organization is also adding more security measures, such as shorter token lifetimes, automatic revocation tools, and deeper scanning of published extensions to detect possible threats before release.

For developers and organizations using VS Code or Open VSX, this incident serves as an important reminder. Sensitive credentials like access tokens should never be stored in public repositories or shared in code. Teams are encouraged to review their projects, rotate their tokens, and use secret management tools to prevent accidental exposure. The quick actions by Wiz and the Eclipse Foundation helped minimize the impact, but this event shows that supply chain security must remain a top priority for the developer community.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news