The GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times.
GlassWorm is a campaign and malware that leverages Solana transactions to fetch a payload targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data from 49 extensions.
The malware uses invisible Unicode characters that render as blanks, but execute as JavaScript to facilitate malicious actions.
It first appeared via 12 extensions on Microsoft's VS Code and OpenVSX marketplaces, which were downloaded 35,800 times. However, it is believed that the number of downloads was inflated by the threat actor, making the full impact of the campaign unknown.
In response to this compromise, Open VSX rotated access tokens for an undisclosed number of accounts breached by GlassWorm, implemented security enhancements, and marked the incident as closed.
GlassWorm returns
According to Koi Security, which has been tracking the campaign, the attacker has now returned to OpenVSX, using the same infrastructure but with updated command-and-control (C2) endpoints and Solana transactions.
The three OpenVSX extensions carrying the GlassWorm payload are:
Koi Security says all three extensions use the same invisible Unicode character obfuscation trick as the original files. Evidently, this remains effective at bypassing OpenVSX's newly introduced defenses.
The hidden payload
... continue reading