Eclipse Foundation Supply Chain Risk: Open VSX Token Exposure Sparks Security Response
Executive Summary
In June 2025, the Eclipse Foundation, custodians of the Open VSX open-source project, took immediate remedial action after Wiz security researchers reported that authentication tokens had been unintentionally leaked in several Visual Studio Code (VS Code) extensions across official marketplaces. These exposed tokens could have allowed malicious actors to tamper with extensions, inject malicious code, or compromise downstream developer environments. Upon validation, the Eclipse Foundation promptly revoked a limited set of impacted tokens and notified affected extension maintainers, mitigating potential risks before evidence of active exploitation surfaced. This event underscores the inherent risks in software supply chains, particularly in widely-used open-source development tools.
Software supply chain vulnerabilities remain a top concern for enterprises as development workflows increasingly depend on publicly distributed packages and extensions. The growing adoption of open-source ecosystems means that even small credential leaks can impact thousands of users, driving new urgency for continuous monitoring and proactive threat detection.
Why This Matters Now
This incident highlights the ongoing risk presented by embedded secrets in software supply chains, particularly with popular open-source development tools. With attackers continually targeting trusted distribution channels to reach downstream users, immediate identification and revocation of leaked credentials are more vital than ever.
Attack Path Analysis
The attack began with the compromise of developer tokens exposed in VS Code extensions, allowing the adversary to upload or modify extensions in public marketplaces. Leveraging these credentials, the attacker potentially escalated privileges to manipulate or distribute malicious code via the supply chain. The attacker may have moved laterally across related build systems or repositories, seeking additional assets using automated access. Communication with attacker infrastructure could have been established through marketplace APIs or cloud egress, enabling ongoing command and control. Sensitive artifacts or code may have been exfiltrated via outbound API calls or repo syncs. Ultimately, the impact manifests as possible supply chain poisoning, reputational damage, or exposure of further secrets until the tokens were revoked.
Kill Chain Progression
Initial Compromise
Description
Attacker obtained and abused leaked Open VSX authentication tokens present within publicly published VS Code extensions to gain unauthorized access.
Related CVEs
CVE-2025-6705
CVSS 5.3A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions.
Affected Products:
Eclipse Foundation Open VSX Registry – before 2025-06-24
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts
Unsecured Credentials: Credentials In Files
Obtain Capabilities: Code Signing Certificates
Command and Scripting Interpreter
Phishing
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Management of Credentials
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Credential and Secret Management
Control ID: Identity Pillar - Credential Protection
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting developer tools and VS Code extensions compromise software development environments, requiring zero trust segmentation and enhanced threat detection capabilities.
Information Technology/IT
Leaked authentication tokens in development marketplaces expose IT infrastructure to lateral movement and data exfiltration, necessitating multicloud visibility and egress security controls.
Financial Services
Compromised development tools threaten PCI compliance and sensitive financial data protection through supply chain vulnerabilities, requiring encrypted traffic and anomaly detection systems.
Health Care / Life Sciences
Developer environment breaches risk HIPAA compliance violations and patient data exposure through compromised extensions, demanding kubernetes security and threat detection frameworks.
Sources
- Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discoveryhttps://thehackernews.com/2025/10/eclipse-foundation-revokes-leaked-open.htmlVerified
- Eclipse Open VSX Registry Security Advisoryhttps://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-open-vsx-registry-security-advisoryVerified
- CVE-2025-6705 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-6705Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, granular workload policy enforcement, and egress control at key cloud borders would have constrained or detected unauthorized token use and supply chain abuse. Zero Trust Segmentation and Threat Detection capabilities would reduce attack surface and trigger alerts during unauthorized lateral moves or suspicious outbound traffic.
Control: Zero Trust Segmentation
Mitigation: Narrowed access with least privilege reduces token exposure and risk of abuse.
Control: Multicloud Visibility & Control
Mitigation: Centralized monitoring and policy can detect anomalous privilege escalations.
Control: East-West Traffic Security
Mitigation: Microsegmentation blocks unauthorized workload-to-workload movement.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unapproved outbound C2 traffic from developer or build environments.
Control: Cloud Firewall (ACF)
Mitigation: Stops unauthorized data export and provides full egress flow visibility.
Triggers rapid alerts on anomalous publishing or distribution activities.
Impact at a Glance
Affected Business Functions
- Software Development
- Extension Management
Estimated downtime: N/A
Estimated loss: N/A
No evidence of data exposure was found; 81 extensions were proactively deactivated as a precaution.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict Zero Trust Segmentation to restrict where extension tokens and sensitive identities can be consumed in the cloud supply chain pipeline.
- • Deploy Cloud Firewall and Egress Security controls to prevent unauthorized outbound and C2 communications from developer, build, and publishing environments.
- • Enable East-West Traffic Security to block lateral attacker movement between CI/CD, repository, and runtime workloads.
- • Integrate Multicloud Visibility & Threat Detection for rapid alerting on anomalous publishing, privilege escalations, or suspicious code uploads.
- • Continuously audit developer secrets in public code and apply policy-driven runtime controls across Kubernetes and cloud-native services.
