Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.
The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft's VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain.
"Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions," Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. "These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure."
Open VSX said it has also introduced a token prefix format "ovsxat_" in collaboration with the Microsoft Security Response Center (MSRC) to make it easier to scan for exposed tokens across public repositories.
In a statement shared with The Hacker News, Barbero pointed out that all newly issued access tokens that developers use to publish extensions via scripts and CI/CD now start with the prefix ovsxat_, and that by shortening the lifetime of both old and new tokens, it will ensure that all active tokens carry the new prefix.
The Eclipse Foundation also noted that while the token prefix "ovsxp_" is being used currently, the plan is to shift to "osvxat_" as its length makes it less likely to cause false positives. "We are discussing internally how to solve the issue," it said.
"Together with MSRC, we ensured that this prefix is distinctive enough to reduce dependence on contextual clues (e.g., name pattern of an assigned variable), which lead to higher false-positive rates," Barbero said. "We believe this approach achieves a good balance between security (by enforcing consistent prefixes) and practicality, by giving publishers a grace period to rotate their tokens before enforcement."
Furthermore, the registry maintainers said they have identified and removed all extensions that were recently flagged by Koi Security as part of a campaign named "GlassWorm," while emphasizing that the malware distributed through the activity was not a "self-replicating worm" in that it first needs to steal developer credentials in order to extend its reach.
"We also believe that the reported download count of 35,800 overstates the actual number of affected users, as it includes inflated downloads generated by bots and visibility-boosting tactics used by the threat actors," Barbero added.
Open VSX said it's also in the process of enforcing a number of security changes to bolster the supply chain, including -
- Reducing the token lifetime limits by default to reduce the impact of accidental leaks
- Making token revocation easier upon notification
- Automated scanning of extensions at the time of publication to check for malicious code patterns or embedded secrets
The new measures to strengthen the ecosystem's cyber resilience come as the software supplier ecosystem and developers are increasingly becoming the target of attacks, allowing attackers far-reaching, persistent access to enterprise environments.
"Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities," Barbero said.
(The story was updated after publication to include a response from the Eclipse Foundation and clarify the use of the "ovsxp_" token prefix.)
