GlassWorm has emerged as a serious threat to developers using the Open VSX Registry, where popular VSX extensions were silently turned into delivery vehicles for malware. <\/p>\n
Threat actors compromised a trusted publisher account and pushed poisoned updates that looked like routine releases but actually carried a staged loader. <\/p>\n
These extensions, which had more than 22,000 downloads, were widely adopted tools used for file sync, internationalization, mind mapping, and CSS workflows, turning everyday development tasks into potential entry points for attackers.<\/p>\n
Socket.dev analysts identified<\/a> this campaign as a developer-compromise supply chain attack, likely triggered by leaked publishing tokens or other unauthorized access to the oorzc publisher account. <\/p>\n Once the malicious versions were live, any developer who installed or updated the affected extensions risked pulling down the GlassWorm loader without any obvious warning. <\/p>\n The Open VSX security team<\/a> later confirmed the compromise, removed the malicious releases, and revoked the publisher\u2019s tokens, but the exposure window was long enough to raise serious concerns about stolen credentials and downstream abuse.<\/p>\n GlassWorm is not a new name in the ecosystem, but this wave marks a clear escalation in tradecraft. <\/p>\n Instead of relying on fake or cloned projects, the attackers hid inside real, long-standing extensions with a history of legitimate use. <\/p>\n The malware focuses heavily on macOS systems, where it steals browser data, cryptocurrency wallets, and sensitive files, while also going after developer material such as SSH keys, AWS credentials, and GitHub or npm tokens. <\/p>\n This shift from simple theft to deep supply chain access means one compromised laptop can quickly become a stepping stone into cloud environments and CI pipelines.<\/p>\n This shows the oorzc namespace<\/a> listing the four compromised extensions: FTP\/SFTP\/SSH Sync Tool, I18n Tools, vscode mindmap, and scss to css, all appearing completely benign to the average user. <\/p>\n This visual highlights how normal the extensions looked at the time of the attack, reinforcing how hard it is for developers to spot such threats by eye.<\/p>\n While this illustrates the staged execution chain that powers GlassWorm\u2019s infection mechanism. <\/p>\n The first stage decrypts and runs an embedded payload, which then profiles the host, avoids Russian-locale systems, and retrieves its next command-and-control instructions from Solana<\/a> transaction memos. <\/p>\n A final macOS-focused stage collects credentials, keychains, and documents, compresses them into an archive, and exfiltrates the data to attacker-controlled infrastructure, while a LaunchAgent entry ensures the malware survives reboots and continues to run in the background.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post GlassWorm Infiltrated VSX Extensions with More than 22,000 Downloads to Attack Developers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSimple theft to deep supply chain access<\/strong><\/h2>\n
![\"Open](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgdDhe9saZDRmDEem1HF2GaRwvfTZKjOovER89LO-Ply067-NDfOaRXdV2WjtZHyUTP1X37fdvdvSEGZ-sYBZg0HvFA37jXsKdkxE7h1jHrkJ3Ei24-GFfwWSOvrP8yscMWQqkwwc5ehzk4V9U5n-0PierYAWcGARKSH_nNmoxyHGS61i-V3uDhkX6jwNQ\/s16000\/Open%2520VSX%2520Registry%2520showing%2520the%2520oorzc%2520namespace%2520with%2520four%2520published%2520extensions%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
![\"Publisher](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjojBQMdOU1eG11FiCpNWuAa1RisHfazvzYhUWSfIyrvfpksXkhc_pk6taxTEw7lKEvoGNcDPmrZVyEIlEdVsPx28tBeEqlFFml-N66yVzMUnfIALE2fv_BrtnumN-Bjgh7_CyvewnvyyBOZY3FxMa5p9zBCJ_ezHItppSu_4016xno7e8Wb2LzzxuK0lA\/s16000\/Publisher%2520profile%2520for%2520oorzc%2520on%2520Visual%2520Studio%2520Marketplace%2520listing%2520four%2520extensions%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")