GlassWorm Loader Hits Open VSX via Developer Account Compromise

Socket’s Threat Research team identified a developer-compromise supply chain attack via the Open VSX Registry, where malicious GlassWorm malware was embedded in four extensions originally published by a developer named oorzc. The compromised extensions, posing as legitimate tools, collectively garnered over 22,000 downloads, suggesting significant adoption before the malicious versions were released. This attack, which involved leaking publishing credentials or tokens, mirrors a pattern of recent GlassWorm-related activity that exploits blockchain technology for command and control, and targets macOS systems to steal sensitive data, including browser cookies, cryptocurrency wallet information, and developer credentials. The Open VSX security team responded by deactivating the compromised tokens, removing the malicious extensions, and flagging the developer's tools in their malware list, while previous waves of GlassWorm attacks had relied on typosquatting and brandjacking strategies. This incident underscores a growing threat in software supply chains, particularly through compromised developer accounts, which can lead to widespread credential theft and potential cloud account compromises.