The Open VSX Registry and the Eclipse Foundation have completed their investigation into a significant security incident involving exposed developer tokens and malicious extensions.
The comprehensive response reveals how the platform is strengthening defenses across the entire VS Code extension ecosystem following the breach.
The security incident began when researchers at Wiz identified multiple extension publishing tokens inadvertently exposed by developers in public repositories.
Investigation confirmed that a limited number of tokens associated with Open VSX accounts had been compromised, creating a direct pathway for attackers to publish or modify extensions without authorization.
The Open VSX team emphasized that these exposures resulted from developer mistakes rather than infrastructure compromise, immediately revoking all affected tokens upon discovery. The exposure highlighted a critical vulnerability in the development workflow where sensitive credentials can easily slip into version control systems.
Understanding the Threat
Open VSX collaborated with Microsoft Security Response Center to introduce a new token prefix format specifically designed for easier and more accurate scanning of exposed tokens across public repositories, enabling developers and security teams to identify compromised credentials faster.
Security researchers at Koi Security subsequently identified a coordinated malware campaign called “GlassWorm” that leveraged the leaked tokens to publish malicious extensions to the platform.
While initial reports characterized this as a self-propagating worm comparable to the ShaiHulud incident on npm, Open VSX clarified that the malware operated differently.
The extensions were designed to steal developer credentials, enabling attackers to expand their reach across the ecosystem, but the malware did not autonomously replicate or propagate across systems.
The campaign resulted in several malicious extensions reaching the marketplace before removal. Open VSX removed all identified malicious extensions immediately upon notification and revoked or rotated associated tokens without delay.
However, reported download statistics require context. The cited figure of 35,800 downloads includes inflated counts generated by bot traffic and visibility-boosting tactics employed by threat actors, potentially overstating actual user impact.
As of October 21, 2025, Open VSX declared the incident fully contained with no indication of ongoing compromise or remaining malicious extensions on the platform.
The response led to concrete improvements strengthening platform security, including implementing shorter default token validity periods to limit leak impact, streamlining token revocation workflows for faster response times, and deploying automated security scanning at publication to detect malicious code patterns before extensions reach users.
Open VSX continues intensive collaboration with affected developers, ecosystem partners, and independent researchers to maintain transparency and reinforce preventive measures.
These improvements demonstrate how security incidents, while disruptive, can drive meaningful ecosystem hardening and establish stronger protections for the broader developer community relying on open-source extension marketplaces.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
