A fourth wave of the "GlassWorm" campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.
Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.
The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft's proprietary marketplace.
The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using "invisible" Unicode characters.
Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim's machine via a SOCKS proxy.
Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.
GlassWorm back on OpenVSX
Koi Security researchers discovered a new GlassWorm campaign that targets macOS systems exclusively, a departure from the previous ones that focused only on Windows.
Instead of the invisible Unicode seen in the first two waves, or compiled Rust binaries used in the third one, the most recent GlassWorm attacks use an AES-256-CBC–encrypted payload embedded in compiled JavaScript in the OpenVSX extensions:
studio-velte-distributor.pro-svelte-extension cudra-production.vsce-prettier-pro Puccin-development.full-access-catppuccin-pro-extension
... continue reading