Open VSX had a limited number of tokens exposed within the VSCode extensions revoked by project maintainer Eclipse Foundation following a Wiz report detailing the compromise of Open VSX and VSCode extensions with the GlassWorm malware as part of a supply chain intrusion, reports The Hacker News."Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions. These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure," said Eclipse Foundation Head of Security Mikael Barbero.Initial reports of the illicit extensions being downloaded nearly 36,000 times may have also been inflated by attackers' bots and visibility-boosting techniques, added Barbero. Aside from removing all of the infected extensions, Open VSX is also moving to curb token lifetime limits by default and ease token revocation procedures.Automated extension scanning for nefarious code patterns and secrets is also being mulled by Open VSX.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




