A vulnerability in Open VSX could have allowed attackers to manipulate repositories and distribute malicious extensions, threatening over 8 million developers. The flaw involved an exposed secret token with super-admin privileges, risking widespread malware infections and backdoor injections. #OpenVSX #EclipseFoundation
Keypoints
- The vulnerability was found in the extension publishing mechanism of Open VSX.
- An attacker could have exploited the exposed secret token to publish malicious extensions.
- The compromised token granted full control over the extension ecosystem, akin to a supply chain attack.
- The flaw was actively exploited in early May, prompting an urgent patch by the Eclipse Foundation.
- This incident highlights the risks of automated processes with privileged credentials in open source projects.
Read More: https://www.securityweek.com/vulnerability-exposed-all-open-vsx-repositories-to-takeover/