VS Code extension publishers' secret leak
Data Leak
Summary
Hide ▲
Show ▼
A VS Code extension publisher secret leak exposed access tokens and PATs across more than 500 extensions, creating a supply-chain path for malicious updates. The exposure included over 550 validated secrets from hundreds of publishers, with more than 100 Marketplace PATs tied to 85,000 installs and 30 Open VSX tokens tied to at least 100,000 installs. On October 21, the Open VSX registry removed malicious extensions and rotated or revoked associated tokens after leaked credentials were used in the GlassWorm campaign. Open VSX later said the incident was fully contained, while Microsoft said it revoked leaked PATs and planned additional secret-scanning measures.
Related Happenings
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Visual Studio Code VS Code token-theft zero-day security flaw
Vulnerability
H score44
First: 03.06.2026 09:50
Last: 03.06.2026 09:50
Sources 1
About this happening:
A **Visual Studio Code (VS Code) zero-day** lets attackers steal **GitHub OAuth tokens** by abusing the editor's **sandboxed webview message-passing system**. The flaw is especial...
Visual Studio Code VS Code token-theft zero-day security flaw
VulnerabilityAbout this happening: A **Visual Studio Code (VS Code) zero-day** lets attackers steal **GitHub OAuth tokens** by abusing the editor's **sandboxed webview message-passing system**. The flaw is especial...
Latest development: 03.06.2026 15:58
Microsoft has acknowledged a Visual Studio Code vulnerability that can let an attacker use a crafted link and malicious webview message-passing to steal a victim's GitHub OAuth token via GitHub.dev, and said it is working on a fix; Microsoft also said the issue does not affect VS Code Desktop.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Timeline
-
02.11.2025 17:09 1 articles · 8mo ago
Open VSX removes malicious extensions and rotates leaked tokens
Mitigation Patch UpdateOn October 21, the Open VSX registry removed all malicious extensions and rotated or revoked associated access tokens after leaked developer credentials were used to publish malicious extensions in a supply-chain attack. Open VSX later confirmed the incident was fully contained with no ongoing impact.
Show sources
- Open VSX rotates access tokens used in supply-chain malware attack — www.bleepingcomputer.com — 02.11.2025 17:09
-
15.10.2025 17:16 2 articles · 8mo ago
VS Code extension publishers exposed access tokens and PATs
Initial DisclosureWiz disclosed that publishers of more than 500 Visual Studio Code extensions exposed over 550 validated secrets across hundreds of distinct publishers, including more than 100 VS Code Marketplace PATs tied to over 85,000 installs and 30 Open VSX access tokens tied to at least 100,000 installs, creating a path for malicious extension updates at scale. The disclosure also noted that leaked Marketplace or Open VSX tokens could let an attacker distribute malware through trusted extension update channels, and Microsoft said it revoked leaked PATs and would add secret scanning capabilities for verified secrets.
Show sources
- Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks — thehackernews.com — 15.10.2025 17:16
- Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks — thehackernews.com — 15.10.2025 17:16