36,000 Downloads and Dozens of Stolen Keys: Eclipse Foundation Cleans Up Open VSX After VS Code Attack
Extensions installed on developers' work machines worldwide were at risk.
Extensions installed on developers' work machines worldwide were at risk.
The Eclipse Foundation has revoked several compromised access tokens associated with publishing extensions to the open-source Open VSX registry. The review was initiated following a publication by Wiz, a company specializing in cloud security. In early October, the company's experts discovered that working tokens had been accidentally committed in some Visual Studio Code extensions hosted in both the official Microsoft Marketplace and Open VSX. Such leaks pose a threat as they allow third parties to interfere with source code, replace extension contents, and distribute malicious updates.
According to the Eclipse Foundation's Head of Security, the compromised keys were found in individual repositories, but the leaks were due to developer error and were not related to vulnerabilities in the Open VSX infrastructure. Analysis confirmed that the tokens could have been used to publish fake versions or make unwanted changes to existing extensions.
To reduce the risk of such incidents in the future, Open VSX, in collaboration with the Microsoft Security Response Center, has developed a new prefix system for tokens. All new keys now include the special prefix "ovsxp_", making them easier to detect during automated scans. Additionally, changes have been made to the key management process itself: tokens now have a limited lifespan by default, and revoking compromised tokens has become simpler and faster.
Furthermore, the team removed all extensions mentioned in a report by Koi Security related to a campaign named "GlassWorm." It is emphasized that, despite the name, this is not a classic computer worm. Spreading malicious code requires obtaining developer credentials first, which rules out automatic infection. According to Eclipse Foundation representatives, the actual number of affected users is significantly lower than the reported 35,800 downloads, as some downloads were generated by bots and artificially inflated by the attackers.
In addition to the measures already implemented, Open VSX plans to expand automated checks for extensions during the publication phase. These checks will include analysis for malicious patterns and leaked secrets. These steps aim to strengthen the ecosystem's protection and minimize threats to developers and companies using third-party extensions. Foundation representatives emphasize that the resilience of the supply chain depends on all participants: authors must monitor the security of their own keys, and administrators must respond to incidents promptly.
