{"id":224296,"date":"2025-10-31T06:23:02","date_gmt":"2025-10-31T11:23:02","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/10\/eclipse-foundation-revokes-leaked-open-vsx-tokens-following-wiz-discovery"},"modified":"2025-10-31T06:23:02","modified_gmt":"2025-10-31T11:23:02","slug":"eclipse-foundation-revokes-leaked-open-vsx-tokens-following-wiz-discovery","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/10\/eclipse-foundation-revokes-leaked-open-vsx-tokens-following-wiz-discovery","title":{"rendered":"Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/eclipse-foundation-revokes-leaked-open-vsx-tokens-following-wiz-discovery2.jpg\"><\/a><\/p>\n<p>Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.<\/p>\n<p>The action comes following a <a href=\"https:\/\/thehackernews.com\/2025\/10\/over-100-vs-code-extensions-exposed.html\" rel=\"noopener\" target=\"_blank\">report<\/a> from cloud security company Wiz earlier this month, which found several extensions from both Microsoft\u2019s VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain.<\/p>\n<p>\u201cUpon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions,\u201d Mika\u00ebl Barbero, head of security at the Eclipse Foundation, <a href=\"https:\/\/blogs.eclipse.org\/post\/mika%C3%ABl-barbero\/open-vsx-security-update-october-2025\" rel=\"noopener\" target=\"_blank\">said<\/a> in a statement. \u201cThese exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace. The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-224296","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/224296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=224296"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/224296\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=224296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=224296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=224296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}