BleepingComputer reports that the novel self-propagating GlassWorm malware has been injected into a dozen OpenVSX and Microsoft VSCode extensions, which have been downloaded 35,800 times, as part of an ongoing supply chain intrusion.
Installation of the extensions, which conceal GlassWorm through Unicode characters, allows the exfiltration of OpenVSX, GitHub, and npm credentials, as well as cryptocurrency wallet details from 49 extensions, findings from a Koi Security report revealed.
Aside from launching a SOCKS proxy for malicious traffic routing, GlassWorm also installs a Hidden Virtual Network Computing client for obscured remote desktop access before injecting the ZOMBI payload that converts compromised developer workstations into nodes for subsequent cybercriminal activities.
"Here's what makes this particularly urgent: VS Code extensions auto-update. When CodeJoy pushed version 1.8.3 with invisible malware, everyone with CodeJoy installed got automatically updated to the infected version. No user interaction. No warning. Just silent, automatic infection," said researchers, who noted that at least four of the illicit OpenVSX extensions remain active while the lone VSCode extension has already been removed.
