- GlassWorm malware campaign extended from VS Code Marketplace to Open VSX
- Four compromised extensions delivered macOS infostealers that stole browser data, wallets, and keychain information
- Extensions downloaded 22,000 times; attackers excluded Russian systems, suggesting Russian origin
GlassWorm, the malware campaign that targeted VS Code developers on Microsoft’s official Visual Studio Code marketplace, has now expanded to open source alternatives, experts have claimed.
Recently, security researchers told Socket that they discovered four extensions in Open VSX, an open, vendor-neutral marketplace for editor extensions (mainly used by developers working with VS Code-compatible editors).
These extensions started out benign, but have been compromised at some point and used to deliver an infostealer to MacOS users in typical supply chain attack style. Here is the list of the compromised extensions:
oorzc.ssh-tools v0.5.1
oorzc.i18n-tools-plus v1.6.8
oorzc.mind-map v1.0.61
oorzc.scss-to-css-compile v1.3.4
Cleaning up after the attack
They were updated to include the malware on January 30 after being legal for about two years.
The malware loads a macOS infostealer that harvests sensitive data from browsers (Firefox and Chromium), cryptocurrency wallet extensions and apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local file system.
Everything is then exfiltrated to an attacker-owned server.
In total, the extensions were downloaded 22,000 times, the researchers said, suggesting a relatively successful campaign. In addition, the campaign only targets macOS devices, while excluding Russian-local systems, which may imply that the attackers are of Russian origin.
Socket notified the Open VSX operators Eclipse Foundation of their findings, and the platform revoked the tokens and removed the malicious releases. However, this does not mean that everyone is safe. Users who have downloaded the extensions should still remove them, scan their systems for any remaining malware, and rotate their credentials to fully mitigate the risks.
One of the extensions – oorzc.ssh-tools – was completely removed from Open VSX as it contained several malicious versions, it said. Other extensions were simply cleaned up and returned to the platform.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
