GlassWorm Malware Returns to Shatter Developer Ecosystems

Summary

GlassWorm, a self-replicating supply-chain malware, has resurfaced after researchers at Socket found Trojanised versions of four legitimate Open VSX components. The malicious packages were removed following disclosure, but they had collectively amassed over 22,000 downloads before takedown. The malware steals developer and cloud credentials, desktop cryptocurrency wallet files and a wide range of macOS artefacts, then abuses publishing access to propagate further downstream.

This campaign retains GlassWorm’s blockchain-based command-and-control (Solana) and Google Calendar backup C2, while newer loaders use encrypted, staged techniques. Unlike prior waves that relied on typosquatting, this incident appears to have used an established publisher account — consistent with leaked tokens or account compromise. Socket published indicators of compromise and remediation advice for defenders.

Key Points

Socket discovered Trojanised versions of FTP/SFTP/SSH Sync Tool, I18n Tools, vscode mindmap and scss to css on Open VSX; the packages exceeded ~22,000 downloads prior to removal.
GlassWorm self-propagates by stealing credentials (NPM, GitHub, Git) and abusing publishing rights to push poisoned releases to downstream users.
Collected artefacts include macOS keychain data, browser cookies, MetaMask and other wallet-extension data, desktop wallet files, Apple Notes, VPN configs and developer secrets.
The malware uses the Solana blockchain for C2 and Google Calendar as a backup channel; recent variants use encrypted staged loaders rather than invisible Unicode tricks.
This wave differs by being published under an established publisher account — suggesting token or account compromise rather than simple typosquatting.
Recommended actions: remove affected extensions, rotate developer/cloud credentials, audit GitHub activity and CI/CD pipelines, and check macOS ~/Library/LaunchAgents for suspicious persistence.

Why should I read this?

Heads up — if you touch open-source components, extensions or CI pipelines, this directly affects you. Poisoned packages slip into real projects and nick secrets; this piece gives the quick remediation checklist and points you to IOCs so you can act before someone else has to do the frantic midnight key-rotation.

Context and Relevance

Supply-chain attacks on developer ecosystems have been escalating (see Shai‑hulud and other recent incidents). GlassWorm is notable for its self-propagation and for using legitimate publisher accounts to reach many downstream projects. Organisations that rely on lots of open-source components, or that have lax token/account hygiene in publishing workflows, are at heightened risk. This reinforces the need for strict credential management, SBOMs, CI integrity checks and monitoring of developer endpoints.

Source

Source: https://www.darkreading.com/application-security/glassworm-malware-developer-ecosystems