Self-spreading GlassWorm malware hits OpenVSX, VS Code registries

A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times. The malware hides its malicious code by using invisible characters. It can also spread itself using stolen account information to infect more extensions the victim can access.

GlassWorm operators use Solana blockchain for command-and-control, making takedown very difficult, with Google Calendar as a backup option. Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. Additionally, GlassWorm deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for invisible remote access.

The worm has a hardcoded wallet with transactions on the Solana blockchain that provide base64-encoded links for the next-stage payloads. According to the researchers, the final payload is called ZOMBI and is a “massively obfuscated JavaScript” code that turns infected systems into nodes for the cybercriminal activities. \n\nHere’s what makes this particularly urgent: VS Code extensions auto-update. When CodeJoy pushed version 1.8.3 with invisible malware, everyone with CodeJoy installed got automatically updated to the infected version. No user interaction. No warning. Just silent, automatic infection.

To read the complete article see: Bleeping Computer