OpenVSX extensions target macOS with GlassWorm malware

Three new malicious extensions on the OpenVSX marketplace, one of which claims to be the customizable code formatter Prettier Pro, have sought to compromise macOS devices as part of the fourth wave of attacks involving the self-replicating Glassworm malware, reports Cybernews. Updated Glassworm malware featuring robust encryption and integrated within the extensions' JavaScript file has been aimed at cryptocurrency, startup, and web3 environment developers, who commonly use Macs, according to an analysis from Koi Security. Installation of the illicit extensions, which have accumulated 50,000 downloads, facilitates payload execution following a 15-minute delay in an effort to circumvent analysis and detection tools, with the Solana blockchain then leveraged to ensure persistence. After locating the current command-and-control endpoint, Glassworm proceeds to replace hardware crypto wallet apps with trojanized versions, while pilfering NPM and GitHub tokens, as well as macOS Keychain passwords, browser cookies, and VPN configurations, said researchers, who warned of subsequent Glassworm attack waves. "When C2 infrastructure lives on an immutable blockchain, there's no domain to blacklist. When the attacker reads your research and ships new techniques within weeks, signature-based detection is always one step behind," researchers added.