Executive Summary
In May 2025, the Eclipse Foundation identified a vulnerability in the Open VSX Registry's automated publishing system, potentially allowing unauthorized extension uploads. The flaw, reported by Koi Security researchers, involved inadequate isolation in build scripts, exposing a privileged token that could be exploited to publish extensions under any namespace. The issue was promptly addressed, with a fix deployed by June 24, 2025, and a comprehensive audit confirming no evidence of exploitation. As a precaution, 81 extensions were deactivated. This incident underscores the critical importance of securing automated processes in software supply chains to prevent unauthorized access and maintain trust in open-source ecosystems. The Eclipse Foundation has since implemented enhanced security measures, including sandboxing build processes and enforcing stricter credential management, to mitigate similar risks in the future.
Why This Matters Now
The incident highlights the ongoing vulnerabilities in software supply chains, emphasizing the need for continuous vigilance and proactive security measures to protect against unauthorized access and maintain trust in open-source ecosystems.
Attack Path Analysis
An attacker exploited a vulnerability in the Eclipse Open VSX Registry's automated publishing system to gain unauthorized access. By compromising the build process, they obtained a privileged token, allowing them to publish malicious extensions under any namespace. These extensions were then distributed to users, enabling the attacker to establish command and control channels. Subsequently, sensitive data was exfiltrated, leading to significant impact on the affected systems.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a vulnerability in the Eclipse Open VSX Registry's automated publishing system, allowing unauthorized uploads of extensions.
Related CVEs
CVE-2025-6705
CVSS 5.3A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions.
Affected Products:
Eclipse Foundation Open VSX Registry – prior to June 24, 2025
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Compromise Software Dependencies and Development Tools
Search Open Technical Databases: Code Repositories
Valid Accounts
Modify Authentication Process: Domain Controller Authentication
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure to VS Code extension supply chain attacks targeting developer workflows, requiring enhanced pre-publish security checks and malware detection capabilities.
Information Technology/IT
High risk from compromised developer tools and extensions enabling lateral movement, requiring zero trust segmentation and enhanced visibility controls.
Computer/Network Security
Direct impact from extension marketplace vulnerabilities affecting security tooling and requiring strengthened egress filtering and threat detection mechanisms.
Financial Services
Supply chain threats through developer environments could compromise sensitive financial systems, necessitating enhanced compliance controls and anomaly detection.
Sources
- Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensionshttps://thehackernews.com/2026/02/eclipse-foundation-mandates-pre-publish.htmlVerified
- Eclipse Open VSX Registry Security Advisoryhttps://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-open-vsx-registry-security-advisoryVerified
- NVD - CVE-2025-6705https://nvd.nist.gov/vuln/detail/CVE-2025-6705Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities and move laterally within the cloud environment, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the publishing system vulnerability would likely be limited, reducing unauthorized access opportunities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and misuse tokens would likely be constrained, reducing unauthorized publishing capabilities.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the development environment would likely be restricted, reducing access to additional resources.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels would likely be detected and constrained, reducing remote command execution capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely be restricted, reducing data loss through unauthorized channels.
The operational and reputational damage would likely be mitigated, reducing the overall impact on the organization.
Impact at a Glance
Affected Business Functions
- Extension Publishing
- Extension Management
Estimated downtime: N/A
Estimated loss: N/A
No evidence of data compromise; 81 extensions were proactively deactivated as a precaution.
Recommended Actions
Key Takeaways & Next Steps
- • Implement pre-publish security checks to detect and prevent malicious extensions from being published.
- • Enforce strict isolation and sandboxing of build processes to protect privileged tokens and credentials.
- • Regularly audit and monitor extension publishing activities to identify unauthorized actions.
- • Educate developers on secure coding practices and the importance of safeguarding credentials.
- • Establish a comprehensive supply chain management program to assess and validate the integrity of all components.
