Visual Studio developers are targeted with a self-propagating worm in a sophisticated supply chain attack through the OpenVSX marketplace, Koi Security reports.
Dubbed GlassWorm, the malware was designed to steal sensitive information from the victims’ machines, including NPM, GitHub, and Git credentials, and to drain funds from 49 cryptocurrency extensions.
Additionally, it deploys SOCKS proxy servers on the infected machines, installs hidden VNC servers to provide attackers with remote access to systems, and spreads itself by compromising packages and extensions using the stolen credentials.
What makes the worm stand out, Koi Security notes, is its use of Unicode variation selectors, which do not produce visual output, hiding the code in code editors to make it invisible to the human eye.
“To a developer doing code review, it looks like blank lines or whitespace. To static analysis tools scanning for suspicious code, it looks like nothing at all. But to the JavaScript interpreter? It’s executable code,” Koi explains.
GlassWorm uses the Solana blockchain for command-and-control (C&C) infrastructure: it searches the blockchain for specific transactions that contain in their memo field instructions regarding the location of the next-stage payload.
This ensures that the infrastructure is not disrupted, as these transactions cannot be modified or deleted from the blockchain, and provides the attackers with anonymity. Furthermore, the attackers can easily change the payload or its location by simply publishing a new transaction for the malware to read.
“You’re playing whack-a-mole with an opponent who has infinite moles. This isn’t some theoretical attack vector. This is a real-world, production-ready C&C infrastructure that’s actively serving malware right now. And there’s literally no way to take it down,” Koi notes.
Additionally, the malware uses Google Calendar as a backup C&C, from which it fetches another payload to turn the infected systems into nodes in the attacker’s infrastructure, by deploying a SOCKS proxy server, WebRTC modules for peer-to-peer communication, and hidden VNC for remote control.
According to Koi, the attack started on October 17, when seven VS Code extensions on OpenVSX were compromised. Given the malware’s self-propagating capabilities, additional extensions were compromised after the infected packages were installed by users.
On October 18, after two of the initially compromised developers published clean versions of their packages, Koi was seeing 10 extensions still delivering the malware. Another one was identified the next day, in Microsoft’s VS Code marketplace.
“The attacker’s C&C infrastructure is fully operational – payload servers are responding, and stolen credentials are being used to compromise additional packages,” Koi warned over the weekend.
According to Koi, the infected extensions have been installed over 35,800 times. Given that VS Code extensions auto-update, the compromised packages infected all developers that had them installed, without user interaction.
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
Related: Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit
Related: Highly Popular NPM Packages Poisoned in New Supply Chain Attack
Related: Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack
