"More than 400 repositories, packages, and extensions have been compromised in a short period. This involves a broad range of programming languages and platforms, including Python and JavaScript projects on GitHub and extensions for Visual Studio Code and OpenVSX. This gives the campaign a scale that extends beyond previous observations."
"The attack employs a supply-chain approach, in which malicious code is integrated into seemingly legitimate software components. Developers who install these dependencies unwittingly introduce the malware. Initial access often appears to occur via compromised GitHub accounts, after which attackers make malicious changes to existing repositories."
"The malware uses the Solana blockchain to retrieve instructions. At regular intervals, it checks for new commands, which are then found to be hidden in transaction memos. This method makes it harder to block the infrastructure behind the attack, as traditional network controls are less effective."
"The payload itself is designed to collect sensitive information from development environments. This includes data from crypto wallets, login credentials, tokens, and SSH keys. In some cases, additional software is installed, including a Node.js environment used to execute further malicious scripts."
The GlassWorm operation has resurfaced with significant scale, compromising more than 400 repositories, packages, and extensions across multiple ecosystems including GitHub, npm, Visual Studio Code, and OpenVSX. The attack uses a supply-chain approach where malicious code is integrated into legitimate software components, spreading through compromised developer accounts and package managers. The malware collects sensitive information from development environments including crypto wallet data, credentials, tokens, and SSH keys. A distinctive technical feature involves using the Solana blockchain to retrieve command-and-control instructions hidden in transaction memos, making traditional network-based detection and blocking more difficult. The infrastructure is actively modified through blockchain transactions, indicating an ongoing and dynamic operation.
#supply-chain-attack #malware #blockchain-command-and-control #software-repository-compromise #developer-security
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]