- Glassworm campaign resurfaces with 24 malicious extensions in OpenVSX and Visual Studio marketplaces
- Malware steals GitHub, npm, wallet tokens and implements HVNC client with SOCKS proxy
- Targets frameworks like Flutter, React Native, Vue; Microsoft works to strengthen defenses
Malware is back in the OpenVSX and Microsoft Visual Studio markets, researchers warn. In mid-September this year, it was reported that cybercriminals were targeting cryptocurrency holders and developers by smuggling stolen information into open source code repositories.
Visual Studio Marketplace and Open VSX Registry are platforms for distributing extensions; the former is proprietary to Microsoft and is used in Visual Studio and Visual Studio Code, while the latter is an open source, vendor-neutral alternative designed for VS Code-compatible editors such as Eclipse Theia, Gitpod, SAP Business Application Studio, and others.
At first, the researchers found at least 24 malicious extensions, and as soon as they removed them, new ones appeared. The extensions, when installed on a Windows device, would implement Lumma Stealer.
Two dozen new packages
Now, security researchers say the campaign, which they dubbed Glassworm, has resurfaced with 24 new packages added across the two platforms.
To smuggle malware, attackers use invisible Unicode characters that form an information stealer that attempts to take over GitHub, npm, and OpenVSX accounts. From there, it attempts to mine tokens and other valuables from 49 browser extension wallets.
Additionally, it implements an HVNC client for remote access and a SOCKS proxy for malicious traffic routing. According beepcomputerThe new attack was detected by security analysts at Secure Annex, who claim that the campaign targets a wide range of development tools and frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native and Vue.
The complete package list can be found at this link.
In his writing, beepcomputer said it notified Microsoft about the attacks, and was told the company is looking for ways to bolster defenses on the popular repository: “We continue to evaluate and improve our scanning and detections to prevent abuse. Microsoft encourages users to flag suspicious content through a “Report Abuse” link found on each extension page,” Redmond told the publication.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
