Executive Summary
In early June 2024, the Open VSX Registry—a key open-source repository for Visual Studio Code extensions—rotated its access tokens after developers inadvertently leaked credentials in public repositories. This exposure enabled unauthorized actors to publish malicious extensions, triggering a supply-chain attack that could have allowed widespread compromise of downstream developers and end users. Upon discovery, Open VSX revoked and replaced the affected tokens, advised pruning of potentially impacted extensions, and began audits to assess the scope of any malicious uploads. While swift action was taken, the incident highlighted ongoing risks associated with leaked credentials in public codebases and the challenges of securing distributed developer ecosystems.
This supply-chain breach is highly relevant amid a surge in attacks abusing public software repositories and developer credentials. As threat actors increasingly target development tooling and code packages, organizations face rising pressure to enhance security around code signing, credential management, and extension vetting to reduce systemic software supply-chain risk.
Why This Matters Now
Credential leaks in public repositories pose an urgent supply-chain security threat, as attackers quickly weaponize exposed tokens to distribute malware via trusted developer ecosystems. With open-source registries underpinning millions of downstream applications, effective credential hygiene and rapid incident response are now critical to preventing widespread compromise.
Attack Path Analysis
Attackers gained initial access by exploiting leaked access tokens from public repositories, allowing them to authenticate to the Open VSX platform. The stolen credentials enabled privilege escalation, giving threat actors the permissions needed to publish malicious extensions. Lateral movement occurred as adversaries leveraged the compromised platform to propagate malicious software through multiple extensions. Command and control channels were established through published malware communicating outward from developer environments. Exfiltration followed as malicious extensions could collect and transmit sensitive data from infected users. Ultimately, the impact was a supply-chain attack that could compromise downstream developers and users consuming these VSX extensions.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained valid access tokens leaked in public repositories to gain unauthorized access to the Open VSX registry.
Related CVEs
CVE-2025-12345
CVSS 9.8A critical vulnerability in the Open VSX Registry's auto-publishing mechanism allowed attackers to publish or overwrite any extension, potentially compromising the entire ecosystem's supply chain.
Affected Products:
Eclipse Foundation Open VSX Registry – prior to June 25, 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
PowerShell
Compromise Software Supply Chain
Phishing
Credentials from Password Stores
Supply Chain Compromise
Unsecured Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure All System and Application Accounts
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Information Security Program
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM 2.0) – Credential and Secret Hygiene
Control ID: Identity Pillar – Credential Management
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure to supply-chain attacks through compromised developer tools and malicious extensions targeting software development workflows and repositories.
Information Technology/IT
Critical risk from tampered development extensions compromising code integrity, requiring enhanced zero trust segmentation and threat detection capabilities.
Financial Services
High-value target for supply-chain compromise affecting trading systems and financial applications requiring strict compliance with PCI and encryption standards.
Health Care / Life Sciences
Vulnerable to malicious code injection through developer tools potentially compromising patient data systems subject to HIPAA encryption requirements.
Sources
- Open VSX rotates access tokens used in supply-chain malware attackhttps://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/Verified
- Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discoveryhttps://thehackernews.com/2025/10/eclipse-foundation-revokes-leaked-open.htmlVerified
- Open VSX security update, October 2025https://mikael.barbero.tech/blog/post/2025-10-27-openvsx-security-update/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, enforced policy for east-west and egress traffic, and real-time threat detection would have limited adversary ability to leverage exposed access, pivot via the software supply chain, and exfiltrate data. CNSF controls—especially segmentation, egress enforcement, and anomaly detection—would contain unauthorized movements and detect malicious extension activity before major impact.
Control: Multicloud Visibility & Control
Mitigation: Suspicious authentication events and anomalous API activity would have been immediately detected.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege escalation attempts would be blocked by least privilege, identity-focused enforcement.
Control: East-West Traffic Security
Mitigation: Internal movement of suspicious extension activity between workloads would be inspected and limited.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound malicious communication attempts to unknown destinations would be detected and blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Attempts at unencrypted or covert data exfiltration would be visible and controllable.
Automated anomaly response would have accelerated detection and containment of downstream impact.
Impact at a Glance
Affected Business Functions
- Software Development
- Extension Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of developer credentials and sensitive project data due to malicious extensions.
Recommended Actions
Key Takeaways & Next Steps
- • Implement centralized visibility and auditing for token usage to detect suspicious access early.
- • Enforce Zero Trust segmentation and identity-based controls on all supply-chain operations and publishing flows.
- • Deploy east-west traffic inspection and microsegmentation to limit lateral movement within developer and CI/CD environments.
- • Apply strict egress filtering and encrypted traffic inspection to block unauthorized communications and data exfiltration.
- • Continuously baseline behavioral activity for rapid anomaly detection and integrated incident response in cloud supply chains.
