Security Flaw Addressed in Open Source Marketplace

The Eclipse Foundation, the organization responsible for the open-source Open VSX project, has confirmed it revoked a small number of access tokens. This action was taken after the tokens were discovered to have been leaked within Visual Studio Code (VS Code) extensions available on the marketplace. The issue was brought to the foundation’s attention following a security report from the cloud security company Wiz.

Wiz’s research, published in October 2025, identified that several extensions across both Microsoft’s official VS Code Marketplace and the Open VSX platform had inadvertently exposed access tokens. The investigation found that these sensitive tokens were located within public code repositories, creating a significant security risk for the software supply chain.

Investigation Confirms Developer Error

In response to the findings, the Eclipse Foundation conducted its own investigation. Mikaël Barbero, head of security at the Eclipse Foundation, issued a statement clarifying the source of the leak. “Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions,” Barbero said. He further emphasized that the incident was not a result of a security breach within the Open VSX infrastructure itself. “These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure,” he added.

To mitigate the risk, the foundation immediately revoked the compromised tokens to prevent any unauthorized modifications to extensions on the platform. Following the incident, Open VSX also announced the introduction of new measures to enhance security and prevent similar developer errors from occurring in the future. This decisive action aimed to secure the integrity of the Open VSX registry and protect its user base from malicious activity.