GoKawiilThe GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions.
Researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm.
Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source repositories is provided by the use of the same Solana blockchain address used for command-and-control (C2) activity, identical or functionally similar payloads, and shared infrastructure.
GlassWorm was first observed last October, with attackers using “invisible” Unicode characters to hide malicious code that harvested cryptocurrency wallet data and developer credentials.
The campaign continued with multiple waves and expanded to Microsoft's official Visual Studio Code marketplace and the OpenVSX registry used by unsupported IDEs, as discovered by Secure Annex's researcher, John Tuckner.
macOS systems were also targeted, introducing trojanized clients for Trezor and Ledger, and later targeted developers via compromised OpenVSX extensions.
The latest GlassWorm attack wave is far more extensive, though, and spread to:
200 GitHub Python repositories
151 GitHub JS/TS repositories
72 VSCode/OpenVSX extensions
... continue reading