- Glassworm campaign re-emerges with 24 malicious extensions on OpenVSX and Visual Studio marketplaces
- Malware steals GitHub, npm, wallet tokens, and deploys HVNC client with SOCKS proxy
- Targets frameworks like Flutter, React Native, Vue; Microsoft working to harden defenses
Malware is back on the OpenVSX and Microsoft Visual Studio marketplaces, researchers are warning. In mid-September this year, it was reported that cybercriminals were targeting crypto holders and developers by smuggling infostealers into open-source code repositories.
The Visual Studio Marketplace and the Open VSX Registry are both platforms for distributing extensions, with the former being Microsoft-owned and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral, open-source alternative designed for VS Code-compatible editors like Eclipse Theia, Gitpod, SAP Business Application Studio, and others.
At first, the researchers found at least 24 malicious extensions, and as soon as those were removed – new ones popped up. The extensions, when installed on a Windows device, would deploy Lumma Stealer.
Two dozen new packages
Now, security researchers are saying that the campaign, which they’ve dubbed Glassworm, re-emerged with 24 new packages added across the two platforms.
To smuggle the malware, the attackers are using invisible Unicode characters which form an infostealer attempting to grab GitHub, npm, and OpenVSX accounts. From there, it tries to pull tokens and other valuables from 49 browser extension wallets.
Also, it deploys an HVNC client for remote access, and a SOCKS proxy for malicious traffic routing. According to BleepingComputer, the new attack was spotted by security analysts from Secure Annex, who claim the campaign targets a wide range of tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue.
The full list of packages can be found on this link.
In its writeup, BleepingComputer said it tipped off Microsoft about the attacks, and was told that the company is looking for ways to harden the defenses on the popular repository: “We continue to assess and improve our scanning and detections to prevent abuse. Microsoft encourages users to flag suspicious content through a “Report Abuse” link found on every extension page,” Redmond told the publication.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
