The GlassWorm malware has reared its ugly head again in the Open VSX registry, roughly two weeks after being removed from the Visual Studio (VS) Code extensions marketplace, Koi Security reports.
In mid-October, the malware landed in the registry through a set of nearly a dozen infected extensions, aiming to steal NPM, GitHub, and Git credentials, along with other sensitive information and funds from 49 cryptocurrency extensions.
Koi Security estimated at the time that the malware was downloaded roughly 35,000 times, warning that it could propagate by infecting the extensions and packages found on victims’ systems.
What made the malware stand out was its use of Unicode variation selectors to hide its code in editors and the use of the Solana blockchain for command-and-control (C&C) infrastructure. It also provided remote access to the infected machines, by deploying SOCKS proxy servers and hidden VNC servers.
Open VSX said in late October that the attack had been contained within days and that additional security measures had been implemented to prevent similar attacks.
Pointing out that GlassWorm was not a self-propagating worm, Open VSX said all infected extensions were removed from the registry, and that the incident was considered contained as of October 21.
Now, Koi warns that three more infected VS Code extensions were discovered in the registry on November 6, with a combined download count of approximately 10,000.
The attackers pushed a new Solana blockchain transaction to feed new C&C addresses to the malware, to download a next-stage payload. The exfiltration server, however, remained unchanged from the first wave of attacks.
Koi also says it gained access to the attackers’ server and peeked at the stolen data, which included a partial list of GlassWorm’s victims. The list includes dozens of developers and organizations, including entities in the US, Europe, Asia, and Latin America, as well as a government entity in the Middle East.
The attackers, Koi notes, stole the victims’ credentials and are likely abusing their computers as criminal proxy infrastructure.
Keylogger data discovered on the server revealed that the threat actor is Russian-speaking, that they use the open source browser extension C&C framework RedExt as part of their infrastructure, and that they use multiple cryptocurrency exchanges and messaging platforms.
“We’re currently working with law enforcement agencies to notify affected victims and coordinate efforts to take down the attacker’s infrastructure. But the reality is sobering: this campaign has been running for over a month, and it continues to spread,” Koi says.
More worrying is that malicious code like GlassWorm’s, also hidden from code editors using Unicode characters, was found on GitHub. Aikido Security, which discovered multiple repositories containing the malicious script, notes that the same threat actor is likely behind both the Open VSX and GitHub attacks.
“Attackers are blending malicious code with realistic commits and project-specific improvements, possibly aided by AI to make their changes appear natural. It is a sign of where the threat landscape is heading,” Aikido says.
Related: Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
Related: Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit
Related: Highly Popular NPM Packages Poisoned in New Supply Chain Attack
