The Open VSX Registry and Eclipse Foundation have disclosed a security incident involving leaked developer tokens and malicious extensions that exploited those credentials to compromise the marketplace.
The incident has since been contained, with the team implementing sweeping improvements to prevent future occurrences.
What Went Wrong
The trouble began when security researchers at Wiz identified several extension publishing tokens carelessly exposed in public code repositories.
Some of these tokens belonged to Open VSX account holders. An investigation confirmed that attackers leveraged these leaked credentials to publish malicious extensions onto the platform.
The Eclipse Foundation emphasized that the token exposures resulted from developer oversights rather than infrastructure breaches.
Once the team identified the compromised tokens, they revoked them immediately.
To strengthen detection capabilities, the Open VSX team collaborated with Microsoft Security Response Center (MSRC) to establish a token prefix format that enables faster scanning for exposed tokens across public repositories.
A separate security report from Koi Security described a malware campaign called “GlassWorm” that exploited the leaked tokens to distribute malicious extensions.
The attackers designed the malware to steal developer credentials, which could then extend their reach further into the ecosystem.
The original report characterized this as a “self-propagating worm,” drawing parallels to the ShaiHulud incident that affected npm in September.
However, the Open VSX team clarified that while the threat was serious, it wasn’t a true self-replicating worm.
The malware required human intervention to spread through credential theft rather than autonomously propagating across systems.
Regarding impact numbers, Open VSX disputed the reported 35,800 download count, suggesting the figure includes artificial downloads generated by bots and visibility-boosting tactics employed by the threat actors themselves.
The actual number of affected users likely remains significantly lower.
All identified malicious extensions were removed from Open VSX immediately upon notification. The team revoked or rotated associated tokens without delay.
As of October 21, 2025, the incident was declared fully contained with no evidence of ongoing compromise or remaining malicious extensions on the platform.
Strengthening Security Going Forward
The incident prompted Open VSX to implement several security enhancements. Token lifetime limits will now restrict default validity periods, reducing the potential damage from accidental leaks.
The team is also streamlining token revocation processes and implementing automated security scanning at the publication stage to detect malicious code patterns before extensions reach users.
Additionally, Open VSX continues collaborating with ecosystem partners, including VS Code and third-party marketplace operators, to share threat intelligence and security best practices.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The incident has since been contained, with the team implementing sweeping improvements to prevent future occurrences.){kind=link}