Developers must contend with malicious code that activates from a dormant state on their Visual Studio Code (VS Code) extensions. The code is believed to have compromised thousands of users by stealing GitHub, Open VSX, and cryptocurrency wallet credentials.
Operation GlassWorm was first identified by cybersecurity firm Koi Security late last month and was created by a group hacking VS Code extensions distributed through both the Open VSX Registry and Microsoft’s Visual Studio Marketplace. Malicious attackers are reportedly embedding invisible malicious code inside legitimate-looking developer tools.
Koi security researchers say the campaign is primarily aimed at harvesting developer credentials such as NPM tokens, GitHub logins, and Git credentials to enable supply chain compromise and financial theft.
According to Koi’s analysis, the same malware also targets 49 different cryptocurrency wallet extensions, exfiltrating users’ funds and exfiltrating sensitive data to remote servers.
GlassWorm turns developers’ machines into aids for criminals
As reported in a Koi team blog post shared on several subreddits, the malicious extension deploys SOCKS proxy servers and uses compromised developer systems to build a criminal proxy network. In parallel, a hidden VNC server is installed, giving the attacker full remote access to the victim’s machine without any visible signs.
Stolen GitHub and NPM credentials help operators infect additional repositories and packages, allowing GlassWorm to propagate deeper into the software supply chain.
Open VSX confirmed on October 21st that it had identified and removed all known malicious extensions associated with this campaign, and also revoked and rotated the compromised tokens.
However, a new report from Koi Security indicates that GlassWorm has re-emerged using a more advanced form of Unicode-based obfuscation to bypass detection systems.
The company said seven extensions were compromised again on October 17th, accumulating a total of 35,800 downloads. Additionally, Koi telemetry shows that as of this writing, 10 infected extensions are currently active, publicly available, and distributing malware.
“The attacker’s command and control infrastructure remains fully operational; payload servers are still responsive and stolen credentials are being used to compromise new packages.”
CodeJoy Malware Is Invincible, Debunking Koi Security
Koi’s risk analysis engine flagged an Open VSX extension called CodeJoy after it noticed an “unusual behavior change” in version 1.8.3. CodeJoy looks like a legitimate developer productivity tool with hundreds of downloads, a clean codebase, and regular updates.
“When we opened the source code, we noticed a large gap between lines 2 and 7,” Koi researchers said. “This is not an empty space. It is malicious code encoded with unprintable Unicode characters that are not visible in the code editor.”
CodeJoy’s invincible code. Source: Koi Research
The attackers used an invincible Unicode variation selector that made the malicious payload invisible to the human eye. Static analysis tools and manual code review showed nothing unusual, and the JavaScript interpreter executed the hidden commands flawlessly.
Once decoded, the invisible characters revealed the second stage payload mechanism. Koi researchers discovered that the mechanism uses the Solana blockchain as its command and control (C2) infrastructure.
“The attackers are using public blockchains as their C2 channels, which are immutable, decentralized, and censorship-resistant,” Coy explained.
The malware scans the Solana network looking for transactions from hard-coded wallet addresses. Once it finds the memo field, it reads the memo field, which allows you to attach any text to the transaction. Inside that memo field is a JSON object containing a Base64-encoded link to download the next stage payload.
The Oct. 15 Solana transaction shown in Coy’s analysis contained data decoded into a URL hosting an active location to download the next stage of the malware.
Attackers can rotate payloads by posting new Solana transactions of less than 1 cent and updating all infected extensions that query the blockchain for new instructions.
According to Koi, even if a defender blocks one payload URL, an attacker can issue another transaction faster than one payload URL can be brought down.
A carp researcher pointed out, “It’s like playing whack-a-mole with an infinite number of moles.”
Oi Security members Idan Dardikman, Yuval Ronen, and Lotan Sery confirmed that the attacker posted a new Solana transaction this week that included a new command endpoint.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
