The Open VSX team and Eclipse Foundation have addressed a significant security incident involving leaked authentication tokens and malicious extensions on their popular code marketplace.
The organization has now contained the situation and outlined concrete steps to prevent future attacks.
Earlier this month, security researchers at Wiz identified several developer tokens that had been accidentally exposed in public repositories.
These tokens, which allow developers to publish and modify extensions, belonged to accounts on the Open VSX Registry a community-driven marketplace for VS Code extensions used by developers worldwide.
Upon investigation, the Open VSX team confirmed that some of these leaked tokens had indeed been compromised and used maliciously.
However, the organization emphasized that the exposure resulted from developer mistakes, not from any breach of Open VSX’s own infrastructure. The team immediately revoked all affected tokens to prevent further misuse.
To strengthen detection capabilities moving forward, Open VSX collaborated with Microsoft’s Security Response Center (MSRC) to introduce a special token prefix format.
This new format makes it significantly easier to scan public repositories and identify exposed tokens before attackers can exploit them.
The Malware Campaign
Around the same time, security firm Koi Security reported a malware campaign dubbed “GlassWorm” that had exploited some of these exposed tokens to publish malicious extensions.
The extensions were designed to steal developer credentials, allowing attackers to expand their reach across the ecosystem.
While the initial reports described this as a “self-propagating worm,” Open VSX clarified that the malware did not autonomously replicate itself.
Instead, it relied on stealing credentials to facilitate further attacks. The organization also noted that reported download figures of 35,800 likely overstate the actual impact, as they include artificial downloads generated by bots and manipulation tactics used by the threat actors.
The Open VSX team acted swiftly, removing all known malicious extensions from the platform and revoking associated tokens immediately upon notification.
As of October 21, 2025, the organization considers the incident fully contained with no evidence of ongoing compromise or remaining malicious content.
This incident highlighted the importance of supply chain security in open source ecosystems. Open VSX is implementing several key improvements to strengthen platform security.
Token validity periods will be shortened by default, reducing the window of opportunity if tokens leak.
The organization is also streamlining token revocation procedures and adding automated security scanning at the time of publication to detect malicious code patterns before extensions reach users.
Additionally, Open VSX is expanding collaboration with other marketplace operators to share threat intelligence and security best practices across the ecosystem.
The organization emphasized that supply chain security is a shared responsibility between developers, registry maintainers, and the broader community.
Open VSX remains committed to maintaining transparency and building a more resilient open source environment where innovation can continue safely and securely.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
