A new malware campaign, called GlassWorm, is infecting developers on the OpenVSX and Microsoft Visual Studio marketplaces. The malware uses invisible Unicode characters to hide its code and can spread itself using stolen account information. It has been installed an estimated 35,800 times.
GlassWorm operators use a Solana blockchain for command-and-control, making it difficult to take down. The malware also deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for invisible remote access.
Researchers at Koi Security have found that GlassWorm’s final stage, called ZOMBI, transforms infected systems into nodes in a criminal infrastructure network. The malware uses BitTorrent’s Distributed Hash Table (DHT) for decentralized command distribution.
So far, 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace have been infected by GlassWorm. The infected extensions include CodeJoy, vscode-theme-seti-folder, and git-worktree-menu. Researchers warn that the C2 and payload servers in the GlassWorm campaign remain active, with at least ten extensions actively distributing the malware.
Microsoft has removed the malicious extension from its marketplace, while some of the compromised extensions are still available for download on OpenVSX.
Source: https://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries