The Eclipse Foundation, which manages the open source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within a Visual Studio Code (VS Code) extension published in the marketplace.
This action follows a report from cloud security firm Wiz earlier this month that found that several extensions in both Microsoft’s VS Code Marketplace and Open VSX inadvertently exposed access tokens in public repositories, potentially allowing malicious parties to seize control and distribute malware, effectively contaminating the extension supply chain.
“Through our investigation, we have determined that a small number of tokens were compromised and may have been used to publish or modify extensions,” Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. “These exposures were caused by developer error and were not caused by a compromise of the Open VSX infrastructure.”
Open VSX said it has also introduced the token prefix format “ovsxp_” in collaboration with the Microsoft Security Response Center (MSRC) to facilitate scanning of published tokens across public repositories.
Additionally, registry administrators said they have identified and removed all extensions recently reported by Koi Security as part of a campaign named “GlassWorm,” while stressing that the malware distributed through this campaign is not a “self-replicating worm” in that it first needs to steal developer credentials in order to expand its reach.
“We also believe that the reported download count of 35,800 overstates the actual number of users affected, as it includes inflated downloads generated by bots and visibility tactics used by threat actors,” Barbero added.
Open VSX said it is implementing a number of security changes to strengthen its supply chain, including:
Shorten token expiration times by default to reduce the impact of accidental leaks Facilitate token revocation upon notification Automatically scan extensions for malicious code patterns and embedded secrets upon publication
The new steps to strengthen the ecosystem’s cyber resilience come as the software supplier ecosystem and developers are increasingly targeted by attacks, giving attackers widespread and persistent access to enterprise environments.
“Incidents like this remind us that supply chain security is a shared responsibility, from publishers carefully managing their tokens to registry administrators improving their detection and response capabilities,” Barbero said.
Source link
