top of page
perceptive_background_267k.jpg

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Published:

2 February 2026 at 05:04:00

Alert date:

2 February 2026 at 06:01:15

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Cybersecurity researchers disclosed a supply chain attack targeting the Open VSX Registry where threat actors compromised a legitimate developer's account to distribute malicious updates. On January 30, 2026, four established Open VSX extensions published by the 'oorzc' author had malicious versions published that embedded the GlassWorm malware. This attack represents a significant supply chain compromise affecting downstream users of the popular extension registry.

Technical details

Supply chain attack targeting Open VSX Registry where threat actors compromised legitimate developer credentials to push malicious updates. The attack involved compromised publishing credentials through either leaked token or unauthorized access. Malicious extensions delivered GlassWorm malware loader that uses runtime decryption, EtherHiding technique to fetch C2 endpoints, and targets macOS systems. The malware profiles infected machines and avoids Russian locales. It harvests browser data, cryptocurrency wallets, iCloud Keychain, developer credentials, and uses Solana memos as dynamic dead drop for infrastructure rotation.

Mitigation steps:

Check for and remove the malicious versions of the identified extensions from Open VSX installations. Implement behavioral detection and rapid response capabilities as static indicators have reduced value against this threat. Monitor for unusual extension behavior and implement supply chain security measures for developer tools and credentials.

Affected products:

Open VSX Registry
FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
vscode mindmap (oorzc.mind-map — version 1.0.61)
scss to css (oorzc.scss-to-css-compile — version 1.3.4)
Mozilla Firefox
Chromium-based browsers
Electrum wallet
Exodus wallet
Atomic wallet
Ledger Live
Trezor Suite
Binance wallet
TonKeeper wallet
MetaMask
iCloud Keychain
Safari
Apple Notes
FortiClient VPN

Related links:

https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise
https://github.com/oorzc/vscode_sync_tool/issues/25
https://thehackernews.com/2025/12/glassworm-returns-with-24-malicious.html

Related CVE's:

Related threat actors:

IOC's:

oorzc.ssh-tools version 0.5.1, oorzc.i18n-tools-plus version 1.6.8, oorzc.mind-map version 1.0.61, oorzc.scss-to-css-compile version 1.3.4, EtherHiding technique usage, Solana blockchain memos for C2 communication, Runtime-decrypted loaders, Avoidance of Russian locale systems

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page