- Glassworm campaign resurfaces with 24 malicious extensions on OpenVSX and Visual Studio marketplaces
- Malware steals GitHub, npm, wallet tokens and implements HVNC client with SOCKS proxy
- Targets frameworks like Flutter, React Native, Vue; Microsoft is working on hardening defenses
Malware is back on the OpenVSX and Microsoft Visual Studio marketplaces, researchers warn. In mid-September this year, it was reported that cybercriminals were targeting crypto holders and developers by smuggling infostealers into open source code repositories.
The Visual Studio Marketplace and the Open VSX Registry are both extension distribution platforms, the former being owned by Microsoft and used in Visual Studio and Visual Studio Code, while the latter being a vendor-neutral, open-source alternative designed for VS Code-compatible editors such as Eclipse Theia, Gitpod, SAP Business Application Studio, and others.
At first, the researchers found at least 24 malicious extensions, and as soon as they were removed – new ones appeared. The extensions, when installed on a Windows device, will deploy Lumma Stealer.
Two dozen new packages
Now security researchers say the campaign, which they have dubbed Glassworm, has resurfaced with 24 new packages added across the two platforms.
To smuggle the malware, the attackers use invisible Unicode characters that form an infostealer that tries to grab GitHub, npm, and OpenVSX accounts. From there, it attempts to withdraw tokens and other valuables from 49 browser extension wallets.
It also implements an HVNC client for remote access and a SOCKS proxy for malicious traffic routing. According to Bleeping Computerthe new attack was discovered by security analysts from Secure Annex, who claim that the campaign targets a wide range of tools and developer frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native and Vue.
The full list of packages can be found at this link.
In his letter, Bleeping Computer said it tipped off Microsoft about the attacks and was told the company is looking for ways to harden defenses on the popular repository: “We continue to evaluate and improve our scanning and detections to prevent abuse. Microsoft encourages users to flag suspicious content through a ‘Report Abuse’ link found on every extension page,” Redmond told the publication.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
