509/68 Thursday, December 4, 2025
The GlassWorm supply-chain attack campaign has resurfaced, leveraging the Microsoft Visual Studio Marketplace and the Open VSX platform to distribute more than 24 malicious extensions. These extensions impersonate popular developer tools, including Flutter, React, Tailwind, and Vue, in an attempt to trick developers into installing them.
GlassWorm was first uncovered in October 2025 and is notable for using the Solana blockchain as its command-and-control (C2) infrastructure. The malware can steal account credentials from npm, Open VSX, GitHub, and Git, and is capable of exfiltrating cryptocurrency assets from victims’ wallets. It can also convert compromised developer machines into nodes that support cybercriminal activity. A key threat posed by the campaign is its ability to reuse stolen credentials to compromise additional packages and extensions, enabling the malware to propagate worm-like behavior. Despite ongoing takedowns by platforms, the campaign has resurfaced in a new wave of attacks.
In the latest iteration, attackers embedded malware written in Rust, capable of running across both Windows and macOS systems. The extensions fetch C2 information from Solana wallets or use Google Calendar as a fallback channel, before downloading secondary payloads. Researchers also observed manipulated download counts to artificially increase credibility and ranking, raising the likelihood that developers might trust and install the extensions. Experts warn that a single installation click is enough to result in a full system compromise and widespread data leakage.
Source https://thehackernews.com/2025/12/glassworm-returns-with-24-malicious.html
