Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer’s resources to push malicious updates to downstream users.
“On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader,” Socket security researcher Kirill Boychenko said in a Saturday report.
“These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases.”
The supply chain security company said that the supply chain attack involved the compromise of the developer’s publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized access. The malicious versions have since been removed from the Open VSX.
The list of identified extensions is below –
- FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
- I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
- vscode mindmap (oorzc.mind-map — version 1.0.61)
- scss to css (oorzc.scss-to-css-compile — version 1.3.4)
The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm. The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data.
At the same time, the malware is detonated only after the compromised machine has been profiled, and it has been determined that it does not correspond to a Russian locale, a pattern commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors to avoid domestic prosecution.
The kinds of information harvested by the malware include –
- Data from Mozilla Firefox and Chromium-based browsers (logins, cookies, internet history, and wallet extensions like MetaMask)
- Cryptocurrency wallet files (Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and TonKeeper)
- iCloud Keychain database
- Safari cookies
- Data from Apple Notes
- user documents from Desktop, Documents, and Downloads folders
- FortiClient VPN configuration files
- Developer credentials (e.g., ~/.aws and ~/.ssh)
The targeting of developer information poses severe risks as it exposes enterprise environments to potential cloud account compromise and lateral movement attacks.
“The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
