Keypoints
- A compromised publisher account allowed malicious updates to four VS Code extensions with over 22,000 combined downloads.
- The injected code executes at runtime, avoids systems with Russian locales, and retrieves C&C data from Solana transaction memos.
- The loader focuses on macOS and deploys a Node.js implant for data theft and persistence.
- The malware harvests browser cookies, wallet-extension artifacts, macOS keychain items, developer credentials (AWS/SSH), and local documents.
- The attack used an established publisher identity rather than typosquatting, enabling stealthy supply-chain abuse and dynamic staging rotation.
Read More: https://www.securityweek.com/open-vsx-publisher-account-hijacked-in-fresh-glassworm-attack/