Ddos 
Publisher profile for oorzc on Visual Studio Marketplace | Image: Socket
A sophisticated supply chain attack has struck the open-source ecosystem, leveraging compromised developer credentials to inject malware into popular coding tools. Socket’s Threat Research team has uncovered a campaign where the GlassWorm loader was embedded into four established extensions on the Open VSX Registry, a popular marketplace for VS Code extensions.
The attack, which began on January 30, 2026, turned trusted utilities into malicious trojans. The affected extensions—including an SSH sync tool and a CSS compiler—had previously been legitimate, accumulating over 22,000 downloads before they were poisoned.
Unlike typical attacks that rely on typo-squatting or fake names, this campaign abused a known and trusted identity. The malicious updates were published under the account of “oorzc,” an author with a history of maintaining legitimate tools.
“The Open VSX security team assessed the activity as consistent with a leaked token or other unauthorized access,” the report states.
By hijacking a verified account, the attackers bypassed the initial skepticism that usually greets new or unknown publishers. The four compromised extensions were:
- FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools)
- I18n Tools (oorzc.i18n-tools-plus)
- vscode mindmap (oorzc.mind-map)
- scss to css (oorzc.scss-to-css-compile).
The malware hidden inside these updates is a multi-stage threat designed for stealth and persistence. Dubbed GlassWorm by researchers, it employs advanced evasion techniques to hide its tracks.
“The malicious update introduces staged loaders that decrypt and execute embedded code at runtime, includes Russian-locale avoidance, resolves command and control (C2) pointers from Solana transaction memos, and then executes additional remote code”.
This use of the Solana blockchain as a “dead drop” for command-and-control instructions is particularly clever. It allows the attackers to rotate their server addresses without updating the malware code itself, making it harder for defenders to block the communication channels.
The ultimate goal of the attack appears to be information theft, with a laser focus on developer environments. The malware specifically targets macOS systems, hunting for the keys to the digital kingdom.
The payload “targets developer credentials and configuration, including ~/.aws (credentials and config) and ~/.ssh (private keys, known_hosts…),” the report warns.
Beyond cloud secrets, it also sweeps for personal wealth and access. The malware harvests data from “desktop cryptocurrency wallet files (Electrum, Exodus…),” as well as “the user’s login keychain database, Apple Notes databases, Safari cookies, and FortiClient VPN configuration files”.
Following the discovery, the Open VSX security team moved quickly. They “deactivated the publisher’s two Open VSX tokens” and removed the malicious versions from the registry.
Related Posts:
- Cursor AI IDE Hacked: Fraudulent Extension Steals $500K in Crypto from Russian Developer
- GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
- macOS Developers in the Crosshairs: GlassWorm’s Wave 4 Exploits VS Code to Trojanize Hardware Wallets
- GlassWorm Worm Resurfaces: Invisible Unicode Malware Re-Infects VS Code Extensions, Spreads to GitHub
Donate