SECURITY researchers identified GlassWASM malware embedded in two trojanized Visual Studio Code extensions listed on the Open VSX marketplace. The malicious packages, `exargd/vsblack@0.0.1` and `noellee-doc/flint-debug@0.1.1`, were uploaded by a newly created GitHub account and masquerade as legitimate extensions, exploiting a trust gap in cross-registry identities.
The malware uses WebAssembly for evasion, encrypting strings and commands to evade detection, and retrieves its command-and-control (C2) instructions from the Solana blockchain. This design allows for resilient operations and complex interactions with the victims' systems through crafted OS-specific commands. The campaign appears linked to the GlassWorm developer group. Defenses include monitoring for associated wallet addresses and strengthening EDR rules.