Article Title:
Eclipse Foundation Revokes Leaked Open VSX Tokens to Strengthen Supply Chain Security
Article Text:
The Eclipse Foundation, steward of the open-source Open VSX project, has recently revoked a limited number of tokens that were inadvertently exposed within Visual Studio Code (VS Code) extensions available in the marketplace. This proactive measure follows a report from cloud security firm Wiz, which identified several extensions in both Microsoft’s VS Code Marketplace and Open VSX that had unintentionally disclosed their access tokens in public repositories. Such exposures could potentially allow malicious actors to hijack these extensions, distribute malware, and compromise the software supply chain.
Mikaƫl Barbero, head of security at the Eclipse Foundation, clarified that these exposures resulted from developer errors rather than any compromise of the Open VSX infrastructure. To mitigate future risks, Open VSX has introduced a new token prefix format, ovsxp_, developed in collaboration with the Microsoft Security Response Center (MSRC). This initiative aims to facilitate the detection of exposed tokens across public repositories.
In response to a campaign dubbed GlassWorm, identified by Koi Security, Open VSX has removed all flagged extensions. The malware associated with this campaign requires the theft of developer credentials to propagate, rather than being a self-replicating worm. Barbero noted that the reported download count of 35,800 likely overestimates the actual number of affected users, as it includes inflated downloads generated by bots and tactics employed by threat actors to boost visibility.
To further enhance supply chain security, Open VSX is implementing several measures:
– Reducing default token lifetime limits to minimize the impact of accidental leaks.
– Simplifying the process for token revocation upon notification.
– Automating the scanning of extensions at the time of publication to detect malicious code patterns or embedded secrets.
These initiatives underscore the shared responsibility in maintaining supply chain security, emphasizing the need for publishers to manage their tokens diligently and for registry maintainers to enhance detection and response capabilities.
