First Self-Propagating Worm Using Invisible Code Hits OpenVSX and VS Code
2 days ago
- #supply-chain-attack
- #cybersecurity
- #malware
- GlassWorm is the first worm targeting VS Code extensions on OpenVSX, using invisible Unicode characters to hide malicious code.
- The attack employs blockchain-based C2 infrastructure (Solana) and Google Calendar as backup, making it nearly impossible to shut down.
- Infected systems become part of a criminal network, acting as SOCKS proxies, with hidden VNC servers for remote access.
- The worm steals NPM, GitHub, and Git credentials to propagate further, targeting 49 cryptocurrency wallet extensions.
- Seven OpenVSX extensions were compromised, with 35,800 downloads, and the attack is actively spreading.
- The malware uses advanced techniques like WebRTC P2P, BitTorrent DHT, and HVNC for persistent, invisible control.
- Koi Security detected the attack via behavioral analysis, revealing the sophisticated, multi-layered C2 system.
- The worm's self-propagation mechanism uses stolen credentials to compromise additional packages, creating exponential growth.
- Current impact includes credential theft, cryptocurrency wallet draining, and turning developer machines into criminal infrastructure.
- The attack highlights the vulnerabilities in the open-source ecosystem and the need for advanced security measures.