Open VSX rotates access tokens used in supply-chain malware attack

The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in a supply chain attack.

The leak was discovered by Wiz researchers two weeks ago, when they reported an exposure of over 550 secrets across Microsoft VSCode and Open VSX marketplaces.

Some of those secrets reportedly could give access to projects with 150,000 downloads, allowing the threat actors to upload malicious versions of extension, creating a significant supply-chain risk.

Open VSX, developed under the Eclipse Foundation, is an open-source alternative to Microsoft's Visual Studio Marketplace, a platform that offers extensions for the VSCode IDE.

Open VSX serves as a community-driven registry for VS Code–compatible extensions for use on AI-powered forks that cannot use Microsoft's platform, such as Cursor and Windsurf.

Some of the leaked tokens were subsequently used in a malware campaign a few days later, dubbed 'GlassWorm'.

Koi Security researchers reported that GlassWorm deployed a self-spreading malware hidden within invisible Unicode characters, which attempted to steal developer credentials and trigger cascading breaches across reachable projects.

These attacks also targeted cryptocurrency wallet data from 49 extensions, indicating that the attackers' motive was likely financial gain.

Source: BleepingComputer