Open VSX: Eclipse Foundation Draws Consequences from GlassWorm Attack
The Eclipse Foundation has resolved the security incident at Open VSX and is introducing new measures to protect developer accounts.
(Image: FON's Fasai/Shutterstock.com)
The Eclipse Foundation has addressed its latest security incident involving Open VSX – the open-source marketplace for VS Code extensions. Recently, it became known that access tokens had accidentally ended up in public repositories. Some of these were misused to inject manipulated extensions.
Developer Errors Led to Token Leak
As the foundation reports, cloud security company Wiz reported several exposed tokens that had been unintentionally published by developers. Some of these concerned accounts on Open VSX. The tokens were immediately revoked after they became known. There was no infrastructure hack at any point – the incident was solely due to human error.
To detect similar problems faster in the future, the team, in coordination with Microsoft's Security Response Center, introduced a new prefix format for tokens, which facilitates automated scans.
"GlassWorm" Campaign Misused Tokens
At the same time, security service provider Koi Security reported a malware wave named "GlassWorm". It used some of the leaked tokens to publish malicious Open VSX extensions. However, according to the Eclipse Foundation, this was not a classic worm that spreads itself, but rather malware that specifically stole developer credentials.
All affected extensions were immediately removed, and all compromised tokens were revoked. The reports of around 35,800 downloads were exaggerated, according to Eclipse, as many retrievals were generated by bots or through visibility tricks.
New Security Routines and Cooperations
The foundation now states that the incident has been officially closed since October 21, 2025. There are no indications of any still active or malicious extensions. However, the team continues to work with security researchers and project partners to improve transparency and protective measures.
In the future, the Eclipse Foundation will implement several structural changes: tokens will have shorter lifespans and be easier to revoke. Furthermore, an automatic security check will be performed with every release to detect malware or accidentally published secrets early on.
In addition, Open VSX aims for stronger networking with other marketplace operators, including the VS Code ecosystem. The joint evaluation of threats and best practices is intended to reduce the risk of similar incidents.
Shared Responsibility for Open Source
The foundation uses the final report also as an appeal to the developer community: supply chain security is a shared task. Those who use tokens must protect them carefully. Platform operators, in turn, have a duty to provide tools and processes that prevent misuse.
With the measures now initiated, Open VSX aims to strengthen its resilience so that the open developer community can continue to collaborate safely in the future.
(mdo)
