Open VSX Registry Breached: GlassWorm Malware Spreads via Compromised Developer Accounts

Open VSX Registry Breached: GlassWorm Malware Spreads via Compromised Developer Accounts

In a significant cybersecurity alert, researchers have unveiled details of a sophisticated supply chain attack targeting the Open VSX Registry. Unidentified threat actors successfully compromised legitimate developer resources, leveraging them to disseminate malicious updates to unsuspecting users downstream. This incident marks a concerning escalation in tactics, as the GlassWorm malware campaign adopts a new, more insidious distribution method.

According to Kirill Boychenko, a security researcher at Socket, the attack unfolded on January 30, 2026. Four well-established Open VSX extensions, all published by the ‘oorzc’ author, were updated with malicious versions embedding the GlassWorm malware loader. These extensions, previously considered legitimate developer utilities and some active for over two years, had collectively amassed more than 22,000 downloads on Open VSX prior to the compromise.

The Anatomy of the Attack: Compromised Credentials

The supply chain security firm, Socket, confirmed that the attack hinged on the compromise of the developer’s publishing credentials. The Open VSX security team‘s assessment points to either a leaked token or other forms of unauthorized access as the likely entry point. This method represents a stark departure from previous GlassWorm campaigns, which typically relied on typosquatting and brandjacking to push fraudulent extensions.

The malicious versions of the extensions have since been removed from the Open VSX Registry. The affected extensions include:

• FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
• I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
• vscode mindmap (oorzc.mind-map — version 1.0.61)
• scss to css (oorzc.scss-to-css-compile — version 1.3.4)

GlassWorm’s Devious Payload and Evasion Tactics

Socket’s analysis revealed that the poisoned extensions were engineered to deliver a loader malware, a known component of the GlassWorm campaign. This loader is designed to decrypt and execute embedded code at runtime, employing advanced techniques to evade detection and maintain persistence.

Sophisticated Evasion and C2

A notable feature of the GlassWorm loader is its use of ‘EtherHiding,’ an increasingly weaponized technique that leverages Solana blockchain memos as a dynamic “dead drop” to fetch command-and-control (C2) endpoints. This innovative approach allows threat actors to rotate their staging infrastructure without needing to republish extensions, making static indicators less effective and shifting the advantage towards behavioral detection.

Furthermore, the malware incorporates a geographical evasion mechanism: it only detonates after profiling the compromised machine and determining that it does not correspond to a Russian locale. This pattern is frequently observed in malicious programs originating from or affiliated with Russian-speaking threat actors, a tactic often used to circumvent domestic prosecution.

Targeting High-Value Data

Once activated, GlassWorm’s primary objective is to exfiltrate a wide array of sensitive data, with a particular focus on Apple macOS credentials and cryptocurrency wallet information. The malware is capable of harvesting:

• Login credentials, cookies, and internet history from Mozilla Firefox and Chromium-based browsers, including wallet extensions like MetaMask.
• Cryptocurrency wallet files from popular platforms such as Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and TonKeeper.
• iCloud Keychain database and Safari cookies.
• User documents from Desktop, Documents, and Downloads folders, as well as data from Apple Notes.
• FortiClient VPN configuration files.
• Crucially, developer credentials, including those found in ~/.aws and ~/.ssh directories.

Shifting Tactics: A Growing Threat to Developers

The targeting of developer information presents severe risks, potentially exposing enterprise environments to cloud account compromises and lateral movement attacks within networks. As Boychenko elaborated, “The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation.”

This incident underscores a critical evolution in the GlassWorm campaign. By compromising a legitimate developer’s account, the threat actors effectively “blend into normal developer workflows,” as Socket noted. This strategy, combined with encrypted, runtime-decrypted loaders and dynamic C2 infrastructure, significantly reduces the efficacy of traditional static security measures, demanding a greater emphasis on behavioral detection and rapid incident response.

The Open VSX supply chain attack serves as a stark reminder of the persistent and evolving threats facing the software development ecosystem. Organizations and individual developers must remain vigilant, prioritize credential security, and adopt robust behavioral monitoring to counter these increasingly sophisticated cyber adversaries.

For more details, visit our website.

Source: Link