The Eclipse Foundation’s Open VSX Registry suffered a security incident where developer publishing tokens were leaked in public repositories, allowing attackers to exploit them for distributing malicious extensions (e.g., *GlassWorm* malware). While initially misreported as a self-propagating worm, the attack relied on stolen credentials to spread, targeting developers to expand access. The incident was contained by revoking compromised tokens, removing malicious extensions, and implementing stricter token management (e.g., shorter lifetimes, automated scanning). Though threat actors inflated download metrics (e.g., 35,800 claimed downloads), the actual user impact was lower. No evidence of ongoing compromise or data exfiltration beyond credential abuse was confirmed. Collaborations with Microsoft Security Response Center (MSRC) and ecosystem partners were established to enhance threat detection and prevention.
Source: https://cyberpress.org/open-vsx-registry/
TPRM report: https://www.rankiteo.com/company/eclipse-foundation
"id": "ecl4092940110325",
"linkid": "eclipse-foundation",
"type": "Breach",
"date": "11/2025",
"severity": "60",
"impact": "",
"explanation": "Attack with significant impact with internal employee data leaks: - Attack which causes data leak of employee of the company - Attack in which company lost current and former employees data through phishing scam"{'affected_entities': [{'customers_affected': 'Significantly lower than '
'reported 35,800 (includes '
'bot-generated downloads)',
'industry': 'Software Development',
'name': 'Open VSX Registry',
'type': 'Open-source extension marketplace'},
{'industry': 'Software Development',
'name': 'Eclipse Foundation',
'type': 'Non-profit organization'}],
'attack_vector': ['exposed API tokens in public repositories',
'malware (GlassWorm)',
'credential theft'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (credentials and tokens for '
'extension publishing)',
'type_of_data_compromised': ['developer credentials',
'publishing tokens']},
'date_resolved': '2025-10-21',
'description': 'The Open VSX Registry and Eclipse Foundation disclosed a '
'security incident where leaked developer tokens were '
'exploited to publish malicious extensions on the marketplace. '
'The incident was contained, and security improvements were '
'implemented to prevent future occurrences. Attackers '
'leveraged exposed tokens (identified by Wiz security '
"researchers) to distribute malware, including the 'GlassWorm' "
'campaign, which stole developer credentials. The Open VSX '
'team revoked compromised tokens, removed malicious '
'extensions, and collaborated with Microsoft Security Response '
'Center (MSRC) to enhance token detection. The actual user '
'impact was lower than initially reported (35,800 downloads '
'included bot-generated activity).',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'malicious extensions and credential '
'theft',
'data_compromised': ['developer credentials', 'publishing tokens'],
'identity_theft_risk': 'High (developer credentials stolen)',
'operational_impact': 'Temporary disruption during token '
'revocation and malicious extension removal',
'systems_affected': ['Open VSX Registry', 'developer accounts']},
'initial_access_broker': {'entry_point': 'Exposed publishing tokens in public '
'repositories',
'high_value_targets': ['developer credentials',
'extension publishing '
'accounts']},
'investigation_status': 'Completed',
'lessons_learned': ['Developer oversights in token management can lead to '
'supply chain attacks',
'Need for stricter token lifecycle management (e.g., '
'shorter validity periods)',
'Importance of automated scanning for exposed credentials '
'and malicious code',
'Collaboration with ecosystem partners enhances threat '
'detection and response'],
'motivation': ['credential theft',
'malware distribution',
'supply chain compromise'],
'post_incident_analysis': {'corrective_actions': ['Implemented token prefix '
'format for faster scanning',
'Introduced token lifetime '
'limits and automated '
'revocation',
'Added security scanning at '
'extension publication '
'stage',
'Enhanced collaboration '
'with MSRC and other '
'partners'],
'root_causes': ['Developer negligence in handling '
'publishing tokens',
'Lack of automated detection for '
'exposed credentials',
'Absence of token lifetime '
'restrictions']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement token prefix formats for easier detection of '
'exposed credentials',
'Enforce token lifetime limits and automate revocation '
'processes',
'Integrate security scanning at the extension publication '
'stage',
'Educate developers on secure credential handling '
'practices',
'Strengthen partnerships for threat intelligence sharing'],
'references': [{'source': 'Wiz Security Research'},
{'source': 'Koi Security Report on GlassWorm'},
{'source': 'Eclipse Foundation Official Statement'}],
'response': {'containment_measures': ['Token revocation/rotation',
'Removal of malicious extensions',
'Automated security scanning at '
'publication stage'],
'enhanced_monitoring': 'Automated scanning for exposed tokens '
'and malicious code patterns',
'incident_response_plan_activated': True,
'remediation_measures': ['Token lifetime limits',
'Streamlined token revocation processes',
'Collaboration with VS Code and '
'third-party marketplaces for threat '
'intelligence sharing'],
'third_party_assistance': ['Microsoft Security Response Center '
'(MSRC)',
'Wiz',
'Koi Security']},
'title': 'Open VSX Registry Security Incident Involving Leaked Developer '
'Tokens and Malicious Extensions',
'type': ['credential compromise',
'malicious extension distribution',
'supply chain attack'],
'vulnerability_exploited': 'Developer oversight leading to token exposure in '
'public repositories'}