By rssfeeds-admin 
This let them release malicious versions of four legitimate VS Code extensions. These tools had built trust over years, with over 22,000 downloads combined.
The extensions seemed harmless at first. They included utilities for FTP/SFTP sync, internationalization, mind mapping, and SCSS compilation.
But new versions hid a GlassWorm malware loader. Open VSX assessed it as leaked tokens or unauthorized access. Socket alerted the maintainer and Eclipse Foundation. They quickly deactivated tokens, removed bad versions, and blacklisted one extension.
This attack escalates GlassWorm’s tactics. Past waves used typosquatting. Here, attackers hijacked an established publisher. The same “oorzc” account runs clean extensions on Visual Studio Marketplace, with thousands of installs. This shows how trusted identities amplify reach.
Attack Chain and Payload Details
Malware uses a staged loader in extension.js. Stage 0 decrypts a hex blob with AES-256-CBC. It uses a hardcoded key (“wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz”) and IV, then runs it via eval().
Stage 1 checks the environment. It skips Russian systems checking locales like “ru_RU”, Moscow timezone, or UTC offsets 2-12 hours.
If clear, it pulls C2 data from a Solana transaction memo at address BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC. This acts as a dynamic dead drop, letting attackers update servers without republishing.
On macOS (os.platform() == “darwin”), it fetches Stage 2. This Node.js script steals data and persists.
Key theft targets:
| Extension Name | Malicious Version | Open VSX Downloads | Key Features Stolen |
|---|---|---|---|
| oorzc.ssh-tools | v0.5.1 | ~17,000 | AWS creds (~/.aws), SSH keys (~/.ssh), npm tokens, GitHub artifacts |
| oorzc.i18n-tools-plus | v1.6.8 | ~3,600 | Browser cookies (Chrome/Firefox), MetaMask data, crypto wallets (Electrum, Exodus) |
| oorzc.mind-map | v1.0.61 | ~3,200 | Keychain DB, Apple Notes, Safari cookies, FortiClient VPN configs |
| oorzc.scss-to-css-compile | v1.3.4 | ~1,300 | Desktop/Documents files, Ledger Live/Trezor/Binance wallets |
Stage 2 stages files in /tmp/ijewf. It grabs browser data (cookies, logins, history), wallet files (Atomic, TonKeeper), keychain, Notes DBs, and docs from Desktop/Downloads.
Developer focus is key: AWS/SSH configs enable cloud jumps; npm/GitHub tokens risk repo takeovers and CI abuse.
It zips data to /tmp/out.zip and exfils via curl to 45.32.150.251 (/p2p, /2p2). Persistence comes via LaunchAgent plist (~Library/LaunchAgents/com.user.nodestart.plist), relaunching at login.
GlassWorm hit Open VSX since October 2025. Early reports noted “invisible” code tricks, but now it’s encrypted loaders. No true worming it’s credential chaining.
Response and Protection Steps
Eclipse acted fast, praising their coordination. Socket links this to 13 prior GlassWorm extensions.
Users: Uninstall listed extensions. Delete artifacts. On macOS, scan LaunchAgents and /tmp/ijewf.
Rotate all: GitHub/npm tokens first, AWS/SSH keys next. Audit repos for odd commits.
Prevent: Use Socket GitHub app for PR scans, CLI in installs, browser extension for risks. Gate VSX updates; prefer Marketplace.
This shows supply chain risks in dev tools. Stolen creds turn workstations into enterprise threats.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Malicious GlassWorm Campaign Targets Developers via VSX Extensions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.