The Open VSX team, backed by the Eclipse Foundation, addressed a security incident that exposed vulnerabilities in its extension marketplace for Visual Studio Code.
The announcement, dated October 27, 2025, details leaked publishing tokens and a related malware campaign, emphasizing swift remediation and future safeguards to protect the open-source developer community.
Background On The Token Leaks
The issue surfaced earlier in October when security firm Wiz reported developers accidentally exposing extension publishing tokens in public GitHub repositories.
A handful of these tokens linked to Open VSX accounts, potentially allowing unauthorized modifications to extensions.
Importantly, the leaks stemmed from user errors, not any breach of Open VSX’s infrastructure. The team promptly revoked all compromised tokens upon discovery.
To prevent future exposures, Open VSX collaborated with Microsoft’s Security Response Center to introduce a unique token prefix format.
This change enables automated scanning tools to more effectively detect leaked credentials in public codebases, reducing risks across the ecosystem.
The GlassWorm Malware Campaign
Concurrently, Koi Security highlighted a malware operation dubbed “GlassWorm,” which exploited some leaked tokens to upload malicious extensions.
Described as a self-propagating worm akin to the earlier ShaiHulud npm attack, the malware aimed to harvest developer credentials for broader reach.
However, Open VSX clarified it wasn’t truly self-replicating; it lacked autonomous spread across user systems.
The campaign’s reported 35,800 downloads appear inflated by bots and artificial boosting tactics.
Upon alert, Open VSX removed all identified malicious extensions and rotated or revoked linked tokens, minimizing harm.
Incident Resolution And Platform Enhancements
By October 21, 2025, the incident was fully contained, with no signs of lingering threats.
The team is now rolling out key improvements: shorter default token lifespans, streamlined revocation processes, pre-publication security scans for malicious code, and deeper collaboration with VS Code marketplace operators.
This event highlights the shared burden of supply chain security in open-source environments.
Open VSX urges developers to handle tokens securely and invites vulnerability reports. As the platform evolves, its commitment to transparency ensures safer innovation for all.
