All news with #open vsx tag

GlassWorm Returns: 24 Malicious Extensions Target Developers

🔍 The GlassWorm supply-chain campaign has resurfaced with 24 malicious extensions distributed across the Microsoft Visual Studio Marketplace and Open VSX, impersonating popular developer tools such as Flutter, React and Tailwind. Researchers say attackers inflated download counts and slipped malicious updates after initial approval to evade filters. Analysis found Rust-based implants that load platform-specific libraries (os.node and darwin.node) to fetch Solana-based C2 details and download encrypted JavaScript payloads, while a Google Calendar fallback is also used. Developers and repository maintainers are urged to audit installed extensions and review update histories.

Glassworm Malware Surges in Third Wave of VS Code Extensions

🐛 The Glassworm campaign has resurfaced in a third wave, with 24 new malicious VS Code-compatible extensions appearing on both the Microsoft Visual Studio Marketplace and OpenVSX. Once installed, these extensions push updates that deploy Rust-based implants, use invisible Unicode to evade review, exfiltrate GitHub, npm, and OpenVSX credentials and cryptocurrency wallet data, and deploy a SOCKS proxy and an HVNC client for stealthy remote access. Researchers say attackers inflate download counts to blend with legitimate projects and manipulate search results; both vendors have been contacted about continued bypasses.

Open VSX Rotates Leaked Tokens After Supply-Chain Attack

🔒 Open VSX rotated access tokens after developers accidentally leaked credentials in public repositories, a lapse that allowed attackers to publish malicious VS Code–compatible extensions in a supply‑chain campaign. The Eclipse Foundation says the threat, linked to a campaign dubbed GlassWorm, was contained by Oct 21 after malicious extensions were removed and tokens revoked. The registry plans shorter token lifetimes, faster revocation workflows, automated publication scans, and increased collaboration with other marketplaces to reduce future risk.

Eclipse Foundation Revokes Leaked Open VSX Tokens Promptly

🔒 The Eclipse Foundation said it revoked a small number of Open VSX access tokens after Wiz reported several VS Code extensions had inadvertently exposed credentials in public repositories. The exposures were attributed to developer error, not an Open VSX infrastructure compromise. Open VSX introduced an ovsxp_ token prefix, removed flagged extensions, reduced default token lifetimes, and plans automated scans to bolster supply‑chain defenses.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.