The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in a supply chain attack.
The leak was discovered by Wiz researchers two weeks ago, when they reported an exposure of over 550 secrets across Microsoft VSCode and Open VSX marketplaces.
Some of those secrets reportedly could give access to projects with 150,000 downloads, allowing the threat actors to upload malicious versions of extension, creating a significant supply-chain risk.
Open VSX, developed under the Eclipse Foundation, is an open-source alternative to Microsoft's Visual Studio Marketplace, a platform that offers extensions for the VSCode IDE.
Open VSX serves as a community-driven registry for VS Code–compatible extensions for use on AI-powered forks that cannot use Microsoft's platform, such as Cursor and Windsurf.
Some of the leaked tokens were subsequently used in a malware campaign a few days later, dubbed 'GlassWorm'.
Koi Security researchers reported that GlassWorm deployed a self-spreading malware hidden within invisible Unicode characters, which attempted to steal developer credentials and trigger cascading breaches across reachable projects.
These attacks also targeted cryptocurrency wallet data from 49 extensions, indicating that the attackers' motive was likely financial gain.
The Open VSX team and the Eclipse Foundation published a blog post about the campaign and leaked tokens, stating that GlassWorm was not, in fact, self-replicating, although it did target developer credentials.
"The malware in question was designed to steal developer credentials, which could then be used to extend the attacker's reach, but it did not autonomously propagate through systems or user machines," clarifies the Open VSX team.
... continue reading