CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Vulnerability Exposed All Open VSX Repositories to Takeover

A vulnerability in the extension publishing mechanism of Open VSX could have allowed attackers to tamper with any repository. The post Vulnerability Exposed All Open VSX Repositories to Takeover appeared first on SecurityWeek.

A vulnerability in Open VSX could have allowed attackers to take over the marketplace and tamper with any repository, Koi Security reports.

An open source extension marketplace hosted by the Eclipse Foundation, Open VSX is an alternative to Microsoft’s Visual Studio Code marketplace, allowing the community to publish VS Code projects for others to consume.

The community-driven alternative works the same as the official VS Code Marketplace, but without its constraints, and has become the go-to portal for numerous popular projects using VS Code-based editors, including Cursor, Coder, Gitpod, Windsurf, and others.

According to Koi Security, a simple vulnerability in the extension publishing mechanism of Open VSX could have put more than 8 million developers at risk of malware infection and other types of attacks.

Open VSX allows developers to upload extensions by themselves, or to submit them for auto-publishing through pull requests.

The automated mechanism, which runs with privileged credentials, was exposing the secret token for the publishing account to any extension, and their dependencies, Koi Security says.

“This token is a super-admin credential for the Open VSX Registry – it can publish new extensions, update or overwrite existing ones. From an attacker’s perspective, that’s control over an entire ecosystem’s supply chain,” the security firm explains.

According to Koi Security, an attacker with knowledge of the token could have published malicious extensions, infecting developers with keyloggers and information stealers, and could have injected backdoors into any developer project, potentially expanding the attack’s impact beyond Open VSX users.

“It’s the SolarWinds scenario for developer tooling: compromise the update mechanism, and you’ve compromised all the downstream systems that consume those updates,” Koi Security notes.

The vulnerability was discovered in early May and a patch was rolled out this week, after being vetted several times, the security firm says. SecurityWeek has contacted the Eclipse Foundation for a statement on the matter.

Related: Gerrit Misconfiguration Exposed Google Projects to Malicious Code Injection

Related: New Campaigns Distribute Malware via Open Source Hacking Tools

Related: Cryptojackers Caught Mining Monero via Exposed DevOps Infrastructure

Related: GitHub Announces General Availability of Security Campaigns

Latest News

CYBERNEWSMEDIAPublisher