Glassworm malware returns in third wave of malicious VS Code packages

The Glassworm malware campaign, initially identified in October, has resurfaced for a third time, introducing 24 new malicious packages to the OpenVSX and Microsoft Visual Studio marketplaces. These marketplaces are key extension repositories for VS Code, offering developers add-ons for language support, frameworks, tooling, and themes. The resurgence highlights the persistent threat to developer environments and the challenges in maintaining the security of these platforms.

First discovered by Koi Security, Glassworm employs invisible Unicode characters to conceal its code. Once installed, it attempts to pilfer GitHub, npm, and OpenVSX account credentials, along with cryptocurrency wallet data from 49 targeted extensions. Moreover, the malware establishes a SOCKS proxy to route malicious traffic through the compromised machine and deploys an HVNC client, granting attackers covert remote access. Despite previous cleanup efforts and OpenVSX’s claim of containing the initial incident, Glassworm has repeatedly bypassed security measures.

The latest wave of Glassworm was detected by Secure Annex researcher John Tuckner. Package names such as those imitating Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue suggest a broad targeting scope aimed at popular developer tools and frameworks. The packages identified across both marketplaces include a range of seemingly innocuous extensions, from icon themes and prettier formatters to language support tools. After gaining initial acceptance on the marketplaces, the malicious actors push updates containing the malware, artificially inflating download counts to enhance the extensions’ perceived legitimacy and prominence in search results.

Glassworm’s technical sophistication has also increased, now incorporating Rust-based implants within the extensions. The use of invisible Unicode characters persists in certain instances. Security teams should proactively monitor their VS Code environments for the presence of these malicious packages and implement stricter code review processes for extensions. Developers should also be wary of extensions with unusually high download counts or recent updates from unknown publishers. Organizations must reinforce secure coding practices and educate developers about the risks associated with installing untrusted extensions to mitigate the risk of falling victim to Glassworm.

To read the complete article see: Bleeping Computer.