"As Techzine reported when the first attack was discovered, Glassworm used invisible Unicode characters to hide malicious code from view completely. This makes an extension appear legitimate to reviewers, while in fact, modules are added that can compromise GitHub, npm, and OpenVSX accounts, among others. The victim's system is also used as a proxy, and a remote-access component is installed, granting attackers unseen access."
"OpenVSX announced in early November that the incident had been contained. Access tokens had been rotated, their lifespan had been limited, and new extensions would now be scanned automatically. In addition, OpenVSX collaborated with other marketplaces to better manage risks. However, the latest wave of infections shows that attackers are once again able to infiltrate systems with new accounts and packages."
"Glassworm also has a complex infrastructure. Analyses show that the malware uses the Solana blockchain to retrieve instructions, enabling a distributed command-and-control mechanism that is almost impossible to block. As a fallback mechanism, information is retrieved from a hidden Google Calendar item, while parts of the attack are distributed via peer-to-peer connections such as WebRTC and BitTorrent. In the most recent variants, Rust-based implan"
Glassworm is a persistent supply-chain campaign that deploys malicious extensions in developer marketplaces by mimicking popular tool names and artificially inflating download counts to appear trustworthy. The malware hides code using invisible Unicode characters so reviewers see benign content while payload modules are added to compromise GitHub, npm, and OpenVSX accounts. Compromised hosts are used as proxies and receive remote-access implants. Marketplaces implemented mitigations such as token rotation, shorter token lifespans, automated scanning, and cross-marketplace collaboration, but attackers continue to publish new accounts and packages. The campaign uses resilient infrastructure including Solana-based distributed C2, hidden Google Calendar fallbacks, and P2P distribution.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]