- Glassworm campaign reappears with 24 malicious extensions on OpenVSX and Visual Studio marketplaces
- Malware steals GitHub, npm, wallet tokens and deploys HVNC client with SOCKS proxy
- Targets frameworks like Flutter, React Native, Vue; Microsoft works to strengthen defenses
Malware is back in the OpenVSX and Microsoft Visual Studio markets, researchers warn. In mid-September this year, it was reported that cybercriminals were targeting cryptocurrency holders and developers by smuggling information thieves into open source code repositories.
Visual Studio Marketplace and Open VSX Registry are both extension distribution platforms, the former owned by Microsoft and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral open source alternative designed for VS Code-enabled editors like Eclipse Theia, Gitpod, SAP Business Application Studio and others.
At first, researchers found at least 24 malicious extensions, and as soon as they were removed, new ones appeared. The extensions, when installed on a Windows device, would deploy Lumma Stealer.
Two dozen new packages
Now, security researchers say the campaign, which they have dubbed Glassworm, has re-emerged with 24 new packages added across both platforms.
To deliver the malware, attackers use invisible Unicode characters that form an information stealer attempting to take over GitHub, npm, and OpenVSX accounts. From there, it attempts to extract tokens and other valuables from 49 browser extension wallets.
Additionally, it deploys an HVNC client for remote access and a SOCKS proxy for routing malicious traffic. According to BeepComputerThe new attack was spotted by security analysts at Secure Annex, who say the campaign targets a wide range of development tools and frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native and Vue.
The full list of packages can be found at this link.
In his writing, BeepComputer said it informed Microsoft of the attacks, and was told the company was looking at ways to strengthen the popular repository’s defenses: “We continue to evaluate and improve our analytics and detection to prevent abuse.” Microsoft encourages users to report suspicious content through a “Report Abuse” link found on each extension page,” Redmond told the publication.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
