Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery

The Hacker News by The Hacker News
October 31, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 31, 2025Ravie LakshmananMalware / Secure Coding

Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.

The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft’s VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain.

“Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions,” Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. “These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure.”

Open VSX said it has also introduced a token prefix format “ovsxp_” in collaboration with the Microsoft Security Response Center (MSRC) to make it easier to scan for exposed tokens across public repositories.

CIS Build Kits

Furthermore, the registry maintainers said they have identified and removed all extensions that were recently flagged by Koi Security as part of a campaign named “GlassWorm,” while emphasizing that the malware distributed through the activity was not a “self-replicating worm” in that it first needs to steal developer credentials in order to extend its reach.

“We also believe that the reported download count of 35,800 overstates the actual number of affected users, as it includes inflated downloads generated by bots and visibility-boosting tactics used by the threat actors,” Barbero added.

Open VSX said it’s also in the process of enforcing a number of security changes to bolster the supply chain, including –

  • Reducing the token lifetime limits by default to reduce the impact of accidental leaks
  • Making token revocation easier upon notification
  • Automated scanning of extensions at the time of publication to check for malicious code patterns or embedded secrets

The new measures to strengthen the ecosystem’s cyber resilience come as the software supplier ecosystem and developers are increasingly becoming the target of attacks, allowing attackers far-reaching, persistent access to enterprise environments.

“Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities,” Barbero said.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Capgemini and Siemens combine to make AI industrial tech | Computer Weekly

Capgemini and Siemens combine to make AI industrial tech | Computer Weekly

Recommended.

Mid-Rivers Communications Elevates Customer Engagement With GOCare’s Digital Experience Suite

Mid-Rivers Communications Elevates Customer Engagement With GOCare’s Digital Experience Suite

July 10, 2025
Huawei lance les pare-feux HiSecEngine de la série USG6000G pour protéger les entreprises sur la voie de l’intelligence totale.

Huawei lance les pare-feux HiSecEngine de la série USG6000G pour protéger les entreprises sur la voie de l’intelligence totale.

March 6, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio