New research shows that the infamous GlassWorm malware has infected many more Open VSX software packages This article explores software glassworm. . Last year, the GlassWorm family of malware first appeared.
Its goal was to infect software developers with infostealers that attackers could use for later attacks. A developer would download a piece of software that GlassWorm had infected. The malware would then steal passwords and other private information from the developer. The attacker would then use this access to publish infected versions of the victim's projects.
A victim further down the line would download that infected package and keep the malware going. GlassWorm will also pretend to be well-known software packages in order to trick developers and end users into installing a harmful program.
Microsoft fixes 83 CVEs in March Update Burckhardt says that companies should take this and other campaigns seriously because "developer tooling ecosystems have become an effective distribution channel for malware." This is partly because developer machines have valuable data and credentials on them. The vendor says that businesses should check their extensions for changes between versions of extensionPack and extensionDependencies, look over their install and update chains, and look for common GlassWorm signs like staged loaders, Russian gating, and Solana memo lookups.
"GlassWorm is moving toward delivery that is less visible and more stable. This includes changes to later versions of the manifest, transitive installation paths, heavier obfuscation, rotating Solana wallets and infrastructure, and decryption material controlled by threat actors," the blog post said.
"Defenders should expect more extensions that seem harmless when they are first published but become harmful when updates add extensionPack or extensionDependencies. That model is likely to spread because it hides the real bad part behind normal behavior for managing extensions.
