A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems.
The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times.
GlassWorm attacks first appeared in late October, hiding the malicious code using “invisible” Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying.
Over time and across multiple attack waves, GlassWorm impacted both Microsoft’s official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX.
In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps.
A new report from Socket’s security team describes a new campaign that relied on trojanizing the following extensions:
oorzc.ssh-tools v0.5.1
oorzc.i18n-tools-plus v1.6.8
oorzc.mind-map v1.0.61
oorzc.scss-to-css-compile v1.3.4
... continue reading