GlassWorm has evolved to abuse Open VSX manifest relationships (extensionPack and extensionDependencies) to convert benign-appearing extensions into transitive delivery vehicles that pull GlassWorm-linked packages in later updates. The campaign also upgraded its loader and infrastructure—using staged JavaScript, Russian locale/timezone gating, Solana transaction memos as dead drops, heavier RC4/base64 obfuscation, rotated Solana wallets and C2 IPs—making single-release reviews insufficient. #GlassWorm #OpenVSX
Keypoints
- Threat actor now abuses Open VSX manifest fields extensionPack and extensionDependencies to cause editors to automatically install separate GlassWorm-linked extensions after trust is already established.
- Confirmed transitive delivery in otoboss.autoimport-extension (references to federicanc.dotenv-syntax-highlighting and oigotm.my-command-palette-extension) and live cases such as twilkbilk.color-highlight-css and crotoapp.vscode-xml-extension.
- Loader evolution preserves staged JavaScript execution, Russian geofencing, Solana memo dead drops, and in-memory follow-on execution while adding RC4/base64/string-array obfuscation and moving decryption material into HTTP response headers.
- Infrastructure rotation includes new Solana wallet 6YGcuyFRJ…, reuse of 45[.]32[.]150[.]251, and added C2 IPs 45[.]32[.]151[.]157 and 70[.]34[.]242[.]255, increasing survivability and evasion.
- Operational risk: extensions that appear benign at publication can become malicious via later-version manifest changes, so auditing extension histories and manifest diffs is critical.
- Immediate recommendations: audit version-to-version manifest changes for added extensionPack/extensionDependencies, remove/block GlassWorm-linked packages and indicators, and use tooling (e.g., Socket GitHub App/CLI/Firewall) to detect and block transitive malicious installs.
MITRE Techniques
- [T1195.001 ] Supply Chain Compromise: Compromise Software Dependencies and Development Tools – GlassWorm abuses manifest relationships to deliver payloads transitively: [‘abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles’]
- [T1204 ] User Execution – Relies on normal user install/update behavior to trigger transitive installs: [‘When a user installs an extension that declares itself as an extension pack, the editor automatically installs every extension listed in the array alongside it.’]
- [T1480 ] Execution Guardrails – Uses locale/timezone gating to limit execution to specific environments (anti-analysis): [‘Russian locale/timezone geofencing’]
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Employs staged JavaScript execution and runtime eval/vm.Script to retrieve and run follow-on code: [‘staged JavaScript execution’ and ‘execution via eval and vm.Script with full Node.js primitives exposed’]
- [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Uses heavy obfuscation and encoded/encrypted loaders (RC4/base64/string-arrays, earlier AES wrapper): [‘replaced the earlier static AES-wrapped loader with heavier RC4/base64/string-array obfuscation’]
- [T1102.001 ] Web Service: Dead Drop Resolver – Uses Solana transaction memos as dead-drop lookups for follow-on payloads: [‘Solana transaction memos as dead drops’]
Indicators of Compromise
- [Open VSX Extensions ] transitively malicious or GlassWorm-linked package names – aadarkcode.one-dark-material, otoboss.autoimport-extension, and 90+ more extensions listed in the report
- [Solana Addresses ] on-chain dead-drop and operator wallets – BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC, 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ
- [Embedded Crypto Material ] in extensions or responses – AES key wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz, AES IV c4b9a3773e9dced6015a670855fd32b
- [IP Addresses ] C2/RPC infrastructure – 45[.]32[.]150[.]251, 70[.]34[.]242[.]255, and 45[.]32[.]151[.]157
- [File Names ] loader and runtime files – extension/out/extension.js (staged loader and heavy obfuscation observed)
- [Solana Program ] memo program used for dead drops – MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr
Read more: https://socket.dev/blog/open-vsx-transitive-glassworm-campaign