Open VSX Registry Responds to Leaked Tokens and Malicious Extension Incident

The Open VSX team and Eclipse Foundation have addressed a significant security incident involving leaked authentication tokens and malicious extensions on their popular code marketplace.

The organization has now contained the situation and outlined concrete steps to prevent future attacks.

Earlier this month, security researchers at Wiz identified several developer tokens that had been accidentally exposed in public repositories.

 These tokens, which allow developers to publish and modify extensions, belonged to accounts on the Open VSX Registry a community-driven marketplace for VS Code extensions used by developers worldwide.

Upon investigation, the Open VSX team confirmed that some of these leaked tokens had indeed been compromised and used maliciously.

However, the organization emphasized that the exposure resulted from developer mistakes, not from any breach of Open VSX’s own infrastructure. The team immediately revoked all affected tokens to prevent further misuse.

To strengthen detection capabilities moving forward, Open VSX collaborated with ...