Warning: "Glassworm" Campaign Targets VS Code Developers, Stealing Crypto with 24 Malicious Extensions
The Malicious Glassworm Campaign: Targeting VS Code Developers and Cryptocurrency Users
The "Glassworm" malware campaign is renewing itself: with the appearance of 24 new extensions targeting the Visual Studio Code (VS Code) development environment. This attack targets developers and cryptocurrency users. Once these malicious extensions are installed on Windows systems, they implant Lumma Stealer, a malware specialized in stealing sensitive information and data.
These malicious extensions are spreading: across the OpenVSX and Microsoft Visual Studio Marketplace platforms, two major marketplaces for distributing development environment extensions. The Visual Studio Marketplace is owned by Microsoft and used for Visual Studio and VS Code extensions. The Open VSX Registry, on the other hand, is an open-source, vendor-neutral alternative designed to support VS Code-compatible editors such as Eclipse Theia, Gitpod, and SAP Business Application Studio, among others.
Advanced Glassworm Tactics and Data Theft
Ongoing security research has revealed: these malicious extensions, and with each removal, new versions emerge. These attacks exploit advanced techniques such as invisible Unicode characters to hide information-stealing malware. These characters appear as blank spaces to the human eye and code editors, but they contain malicious executable code, making them literally disappear from code editors. The campaign aims to seize credentials for GitHub, npm, and OpenVSX accounts, then attempt to extract valuable tokens and digital assets from 49 web browser cryptocurrency wallets.
Hidden Spread Mechanisms and Control
Additionally: this malware deploys an HVNC (Hidden Virtual Network Computing) client for stealthy remote access, allowing attackers to control infected systems without users noticing. It also deploys a SOCKS proxy to route malicious traffic. Security analysts at Secure Annex have observed this new attack, noting that it targets a wide range of popular developer tools and frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. The ultimate ZOMBI malware module, a highly obfuscated JavaScript code, turns infected developer workstations into nodes within a criminal infrastructure network. The GlassWorm campaign uses the Solana blockchain as a Command and Control (C2) infrastructure, making it resilient to takedowns due to its decentralized and immutable nature. Google Calendar backup servers are also used as part of the C2 infrastructure.
Microsoft Efforts and Security Recommendations
 {
let breadcrumbItems = document.querySelectorAll()
0) {
// التحقق إذا كانت الكلمة "technology" موجودة في أي من التصنيفات
for (let item of breadcrumbItems) {
if (item.textContent.trim() === "technology") {
return "technology"; // إرجاع "technology" إذا تم العثور عليها
}
}
}
return null; // لم يتم العثور على التصنيف "technology"
}
// عند تحميل الصفحة بالكامل
window.onload = function() {
let category = getCurrentCategory(); // الحصول على التصنيف
let resultContainer = document.getElementById("social-links"); // الحصول على العنصر الذي سيعرض الروابط
// طباعة التصنيف في وحدة التحكم لمراقبته
console.log("التصنيف الملتقط:", category);
if (resultContainer) {
const socialIcons = {
facebook: 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn89VTVes_Hl06UareNohRUBqNIHDH9Lv-F0N-ZZu1nFAbkdLwnHkOTgqj2fYRm2lAFyAOE6CMrDTA9ehdVhIEwQuXGIVissKPk-6DaNj4D8saUBCpmA_djFjqrODNwCNetRUUSYn4IgyJ3QgnyMSqT4TChRDdAVjjG2j7RbgnJRPLgz1T-x6CTDppyC4h/s512/facebook-round-color-icon.png',
twitter: 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiZvHlD6B9THWwronS3AsOp-G4sPnaeTEllvescomdsgcTQWte_TjmrKUZfZFbHrLym4rpYaOdl60kdePpDBpFruedVGCWTvL6RCNbWMhWMOEzIEud69wYPzNs9X3WFcZ7d6iwh4Y09i1oCMEcH9_CvhRpOlrWgKeTn8wCPhSnvc5vsTRMTbf10Dkfocyo/s512/x-social-media-logo-icon.png',
};
const links = category === 'technology'
? {
facebook: 'https://www.facebook.com/aymanytechnology',
twitter: 'https://x.com/aymany_tech',
}
: {
facebook: 'https://www.facebook.com/aymanyHistory',
twitter: 'https://x.com/aymany_history',
};
resultContainer.innerHTML = `
Follow us on social media platforms:
`; } };
myhome
https://www.aymany.com/
