"On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader, These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."
"The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm. The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data."
On January 30, 2026, four Open VSX extensions published by the oorzc author were released with malicious versions embedding the GlassWorm loader. The extensions had been presented as legitimate developer utilities and together had over 22,000 downloads prior to the poisoned releases. The developer's publishing credentials were compromised, with Open VSX assessing likely use of a leaked token or other unauthorized access; the malicious versions were subsequently removed. The loader decrypts and runs embedded payloads at runtime, uses EtherHiding to retrieve C2 endpoints, profiles hosts before detonation, and targets macOS credentials and cryptocurrency wallet data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]