Self-Propagating GlassWorm Attacks VS Code Supply Chain www.darkreading.com/applicati…

A self-propagating worm is targeting Visual Studio Code (VS Code) extensions in a complex supply chain attack that has infected 35,800 developer machines so far with techniques the likes of which researchers said they haven’t seen before in the wild.

Researchers at Koi Security discovered the malware, dubbed “GlassWorm,” on Oct. 18, after flagging an extension on the OpenVSX marketplace — an open source alternative to the Visual Studio Marketplace — called CodeJoy that “introduced some suspicious behavioral changes,” according to a blog post by Koi CTO and co-founder Idan Dardikman published on Saturday.

An investigation revealed that the extension was infected with an unusually stealthy malware that used printable Unicode characters that don’t render in a code editor, basically making “malicious code literally disappear,” Dardikman wrote.

“The malware is invisible,” he wrote. “Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye.”

Further analysis uncovered a self-propagating malware that uses the Solana blockchain as its C2 and Google Calendar as a backup command server; harvests credentials from NPM, GitHub, and Git credentials for supply chain propagation; targets cryptocurrency wallets; deploys SOCKS proxy servers to turn developer machines into extended C2 infrastructure; installs hidden virtual network computing (VNC) servers for complete remote access; and spreads further by using stolen credentials to compromise additional packages and extensions.