Article Details

GlassWorm malware returns on OpenVSX with 3 new VSCode extensions. The GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times. GlassWorm is a campaign and malware that leverages Solana transactions to fetch a payload targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data from 49 extensions. The malware uses invisible Unicode characters that render as blanks, but execute as JavaScript to facilitate malicious actions. It first appeared via 12 extensions on Microsoft's VS Code and OpenVSX marketplaces, which were downloaded 35,800 times. However, it is believed that the number of downloads was inflated by the threat actor, making the full impact of the campaign unknown. In response to this compromise, Open VSX rotated access tokens for an undisclosed number of accounts breached by GlassWorm, implemented security enhancements, and marked the incident as closed. GlassWorm returns According to Koi Security, which has been tracking the campaign, the attacker has now returned to OpenVSX, using the same infrastructure but with updated command-and-control (C2) endpoints and Solana transactions. The three OpenVSX extensions carrying the GlassWorm payload are: Koi Security says all three extensions use the same invisible Unicode character obfuscation trick as the original files. Evidently, this remains effective at bypassing OpenVSX's newly introduced defenses. As Aikido reported earlier, GlassWorm operators weren't deterred by last month's exposure and had already pivoted to GitHub, but the return to OpenVSX via new extensions shows an intention to resume operations across multiple platforms. Attack infrastructure exposed Through an anonymous tip, Koi Security was able to access the attackers' server and obtain key data on the victims impacted by this campaign. The retrieved data indicates global reach, with GlassWorm found on systems across the United States, South America, Europe, Asia, and a government entity in the Middle East. Regarding the operators themselves, Koi reports they are Russian-speaking and use the RedExt open-source C2 browser extension framework. The researchers shared all data with law enforcment, including user IDs for multiple cryptocurrency exchanges and messaging platforms, and a plan to inform impacted organizations is being coordinated. Koi Security told BleepingComputer that they have identified 60 distinct victims so far, noting that they retrieved only a partial list from a single exposed endpoint. As of writing, the three extensions with the GlassWorm payload remain available for download on OpenVSX. Secrets Security Cheat Sheet: From Sprawl to Control Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start. Get the cheat sheet and take the guesswork out of secrets management.