Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.
The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft's VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain.
"Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions," Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. "These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure."
Open VSX said it has also introduced a token prefix format "ovsxp_" in collaboration with the Microsoft Security Response Center (MSRC) to make it easier to scan for exposed tokens across public repositories.
Furthermore, the registry maintainers said they have identified and removed all extensions that were recently flagged by Koi Security as part of a campaign named "GlassWorm," while emphasizing that the malware distributed through the activity was not a "self-replicating worm" in that it first needs to steal developer credentials in order to extend its reach.
"We also believe that the reported download count of 35,800 overstates the actual number of affected users, as it includes inflated downloads generated by bots and visibility-boosting tactics used by the threat actors," Barbero added.
Open VSX said it's also in the process of enforcing a number of security changes to bolster the supply chain, including -
- Reducing the token lifetime limits by default to reduce the impact of accidental leaks
- Making token revocation easier upon notification
- Automated scanning of extensions at the time of publication to check for malicious code patterns or embedded secrets
The new measures to strengthen the ecosystem's cyber resilience come as the software supplier ecosystem and developers are increasingly becoming the target of attacks, allowing attackers far-reaching, persistent access to enterprise environments.
"Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities," Barbero said.
