Eclipse Foundation Revokes Leaked Tokens in VS Code Extensions Following Wiz Report

The Eclipse Foundation has revoked tokens exposed in Visual Studio Code (VS Code) extensions on the Open VSX marketplace, following a report by cloud security firm Wiz. The report identified multiple extensions from both Microsoft's VS Code Marketplace and Open VSX containing leaked tokens, which could include authentication credentials or API keys. The exposure of these tokens poses significant security risks, including unauthorized access, data breaches, and supply chain attacks. The Eclipse Foundation's revocation of these tokens is a critical mitigation step, but it also highlights the need for improved security practices in extension development and distribution. This incident underscores the importance of supply chain security in open-source ecosystems. Developers must ensure sensitive information is not hardcoded into extensions and should implement robust security practices, such as regular code reviews and automated scanning for sensitive data. Organizations should monitor and audit third-party components for potential security risks and stay informed about security incidents and best practices in the open-source community. For cybersecurity professionals, this incident serves as a reminder of the ongoing challenges in securing the software supply chain and the need for proactive measures to detect and prevent the exposure of sensitive information in code.