Glassworm returns once again with a third round of VS code attacks

News
By published

The Visual Studio Marketplace and the Open VSX Registry users are targeted once again

Representational image of a cybercriminal
(Image credit: Future)
  • Glassworm campaign re-emerges with 24 malicious extensions on OpenVSX and Visual Studio marketplaces
  • Malware steals GitHub, npm, wallet tokens, and deploys HVNC client with SOCKS proxy
  • Targets frameworks like Flutter, React Native, Vue; Microsoft working to harden defenses

Malware is back on the OpenVSX and Microsoft Visual Studio marketplaces, researchers are warning. In mid-September this year, it was reported that cybercriminals were targeting crypto holders and developers by smuggling infostealers into open-source code repositories.

The Visual Studio Marketplace and the Open VSX Registry are both platforms for distributing extensions, with the former being Microsoft-owned and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral, open-source alternative designed for VS Code-compatible editors like Eclipse Theia, Gitpod, SAP Business Application Studio, and others.

At first, the researchers found at least 24 malicious extensions, and as soon as those were removed - new ones popped up. The extensions, when installed on a Windows device, would deploy Lumma Stealer.

Two dozen new packages

Now, security researchers are saying that the campaign, which they’ve dubbed Glassworm, re-emerged with 24 new packages added across the two platforms.

To smuggle the malware, the attackers are using invisible Unicode characters which form an infostealer attempting to grab GitHub, npm, and OpenVSX accounts. From there, it tries to pull tokens and other valuables from 49 browser extension wallets.

Also, it deploys an HVNC client for remote access, and a SOCKS proxy for malicious traffic routing. According to BleepingComputer, the new attack was spotted by security analysts from Secure Annex, who claim the campaign targets a wide range of tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue.

The full list of packages can be found on this link.

In its writeup, BleepingComputer said it tipped off Microsoft about the attacks, and was told that the company is looking for ways to harden the defenses on the popular repository: "We continue to assess and improve our scanning and detections to prevent abuse. Microsoft encourages users to flag suspicious content through a “Report Abuse” link found on every extension page,” Redmond told the publication.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.