GlassWorm Malware Exploits Open VSX Extensions to Target macOS Developers
In a recent cybersecurity incident, malicious actors have infiltrated the Open VSX Registry, compromising legitimate developer extensions to distribute the GlassWorm malware. This sophisticated supply chain attack has primarily targeted macOS developers, aiming to steal sensitive information, including credentials and cryptocurrency wallet data.
The Breach:
On January 30, 2026, security researchers identified that four established Open VSX extensions, authored by oorzc, had been updated with malicious versions embedding the GlassWorm malware loader. These extensions, previously recognized as legitimate developer tools with over 22,000 downloads, were compromised through unauthorized access to the developer’s publishing credentials. The affected extensions include:
– FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
– I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
– vscode mindmap (oorzc.mind-map — version 1.0.61)
– scss to css (oorzc.scss-to-css-compile — version 1.3.4)
The Open VSX security team has since removed these malicious versions from the registry.
Malware Functionality:
The GlassWorm malware is engineered to decrypt and execute embedded code at runtime, employing advanced techniques like EtherHiding to retrieve command-and-control (C2) endpoints. Once activated, it targets a range of sensitive data, including:
– Credentials and cookies from Mozilla Firefox and Chromium-based browsers.
– Cryptocurrency wallet files from applications such as Electrum, Exodus, and Ledger Live.
– iCloud Keychain databases.
– Safari cookies and Apple Notes data.
– User documents from Desktop, Documents, and Downloads folders.
– FortiClient VPN configuration files.
– Developer credentials, including AWS and SSH keys.
Notably, the malware activates only after confirming that the infected system is not set to a Russian locale, a tactic often used by Russian-speaking threat actors to evade domestic prosecution.
Implications for Developers:
The targeting of developer credentials poses significant risks, potentially leading to cloud account compromises and lateral movement within enterprise environments. The malware includes routines to extract authentication materials from common workflows, such as npm configuration tokens and GitHub authentication artifacts, which could grant access to private repositories and continuous integration secrets.
Evolution of the Attack:
This incident marks a departure from previous GlassWorm campaigns, which relied on typosquatting and brandjacking to distribute malicious extensions. In this case, the attackers leveraged a compromised account of a legitimate developer, enhancing the credibility and reach of the malicious extensions. The attackers also utilized the Solana blockchain for dynamic dead drops, allowing them to rotate staging infrastructure without republishing extensions, thereby evading static detection methods.
Broader Context:
This attack is part of a growing trend of supply chain attacks targeting open-source software repositories. In mid-2025, a similar incident involved a fake VSCode extension named Solidity Language in the Open VSX registry, which executed PowerShell scripts to install remote access tools and steal cryptocurrency wallet passphrases. Such incidents underscore the vulnerabilities inherent in open-source ecosystems and the need for enhanced security measures.
Response and Mitigation:
In response to the breach, the Open VSX team has revoked compromised tokens and implemented shorter lifespans for access tokens to enhance security. Developers are advised to:
– Regularly audit and rotate access tokens.
– Implement multi-factor authentication for repository accounts.
– Monitor for unusual publishing activities.
– Use automated security scanning in continuous integration and delivery pipelines.
By adopting these practices, developers can help safeguard their projects and the broader open-source community from similar supply chain attacks.
