All news with #openvsx tag

GlassWorm Returns to OpenVSX with Three VSCode Extensions

⚠ The GlassWorm malware campaign has resurfaced on OpenVSX, delivering malicious payloads via three new VSCode extensions that have been reported as downloaded over 10,000 times. The extensions use invisible Unicode obfuscation to execute JavaScript and harvest credentials and cryptocurrency wallet data through Solana transactions. Koi Security says the attacker reused infrastructure with updated C2 endpoints and that investigators accessed an attacker server, recovering victim data and identifying multiple global victims.

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

GlassWorm Worm Infects OpenVSX and VS Code Extensions

🛡️ A sophisticated supply-chain campaign called GlassWorm is propagating through OpenVSX and Microsoft VS Code extensions and is estimated to have about 35,800 active installs. The malware conceals malicious scripts using invisible Unicode characters, then steals developer credentials and cryptocurrency wallet data while deploying SOCKS proxies and hidden VNC clients for covert access. Operators rely on the Solana blockchain for resilient C2, with Google Calendar and direct-IP fallbacks.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

Malicious VSCode Extensions Resurface on OpenVSX Registry

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.