A fourth wave of the GlassWorm malware campaign is targeting macOS developers through malicious extensions distributed on the OpenVSX registry and the Microsoft Visual Studio Marketplace, according to researchers at Koi Security.
The campaign involves compromised extensions designed for VS Code compatible editors. These extensions, which typically add productivity tools or language support, have been weaponised to deliver malware that steals developer credentials and cryptocurrency data.
GlassWorm was first identified in October after being hidden inside extensions using invisible Unicode characters. Once installed, the malware attempted to harvest login details for GitHub, npm and OpenVSX accounts, as well as data from cryptocurrency wallet extensions.
It also enabled remote access via VNC and allowed attackers to route traffic through infected systems using a SOCKS proxy.
Despite public disclosure and additional safeguards, the malware resurfaced in early November on OpenVSX and again in early December on the VS Code marketplace.
In the latest campaign, researchers observed a shift in tactics. The new wave targets macOS systems exclusively, unlike earlier versions that focused on Windows. The malware now uses an AES 256 CBC encrypted payload embedded in compiled JavaScript within OpenVSX extensions, rather than invisible Unicode characters or compiled R
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: