The Eclipse Foundation has revoked some leaked access tokens associated with their Open VSX project following a report from cloud security firm Wiz. They discovered that several extensions in both Microsoft's VS Code Marketplace and Open VSX had exposed these tokens in public repositories. This poses a significant risk, as malicious actors could exploit the leaks to modify or publish compromised extensions, undermining the integrity of the extension supply chain. Mikaël Barbero, the head of security at Eclipse, confirmed that the leaks stemmed from developer errors rather than a breach of the Open VSX infrastructure. In response, Open VSX has introduced a new token prefix format, "ovsxat_," designed to simplify the identification of exposed tokens. All new access tokens will carry this prefix, and the foundation has shortened the lifespan of tokens to minimize the impact of any future leaks. They also plan to transition from the current prefix "ovsxp_" to "osvxat_" to reduce false positives in scanning efforts. Additionally, the Eclipse Foundation has removed extensions flagged by Koi Security in a campaign dubbed "GlassWorm." They clarified that the reported 35,800 downloads of these extensions likely included inflated figures from bot activity. Open VSX is also implementing other security measures, such as automated scanning during publication to detect malicious code and easier token revocation processes. These steps reflect an ongoing effort to enhance the security of their ecosystem, especially as supply chain attacks become more prevalent.