ON January 30, a threat actor published malicious versions of four established VS Code extensions with over 22,000 combined downloads, marking another GlassWorm campaign on the Open VSX marketplace, according to Socket notes. The extensions contained code that would execute at runtime, evade systems with Russian locales, resolve command-and-control data from Solana transaction memos, and run additional payloads.
Consistent with previously observed activity, the extensions were repurposed to deploy a GlassWorm loader, though the fresh attack did not rely on typosquatting or cloned tools. The publisher account used for the attack was compromised, with the Open VSX security team assessing the incident as consistent with leaked tokens or other unauthorized publishing access.
The campaign included a macOS-focused loader that later staged a Node[.]js implant for data theft and persistence, targeting developer credentials and configuration to facilitate potential lateral movement.