The latest wave of the GlassWorm campaign targets macOS developers with malicious VSCode extensions, aiming to steal credentials and cryptocurrency wallet data. Despite increased defenses, the malware has re-emerged, now using advanced encryption and targeting hardware wallets. #GlassWorm #VSCodeExtensions
Keypoints
- GlassWorm malware is distributed through malicious extensions on OpenVSX and Microsoft Visual Studio Marketplace.
- The malware harvests credentials and cryptocurrency wallet data, including Keychain passwords and hardware wallets.
- Recent attacks on macOS use AES-256-CBC encryption, AppleScript, and LaunchAgents for persistence.
- The campaign has evolved to include capabilities like traffic routing via SOCKS proxy and remote access via VNC.
- Developers are advised to remove suspicious extensions and reset related account credentials immediately.