Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery

The Eclipse Foundation just dropped the hammer on leaked Open VSX tokens after Wiz researchers uncovered a major security exposure. Translation: they revoked all compromised tokens and rolled out serious security upgrades to prevent future supply chain attacks.

Here's the tea: Wiz found that Open VSX tokens—those authentication keys for publishing VS Code extensions—were accidentally exposed, potentially letting threat actors publish malicious extensions to the marketplace. The Eclipse Foundation immediately revoked all affected tokens and implemented new security measures including mandatory 2FA for publishers and enhanced token monitoring.

Why this matters: Open VSX is the open-source alternative to Microsoft's VS Code Marketplace, used by thousands of developers daily. A compromised token could have led to supply chain attacks affecting millions of developers worldwide—think malicious extensions stealing credentials or injecting backdoors.

The security upgrades include:

Bottom line: If you're publishing VS Code extensions via Open VSX, you'll need to re-authenticate with the new security requirements. The Eclipse Foundation is treating this as a critical supply chain security wake-up call for the entire open-source ecosystem.