Researchers disclosed a supply chain attack on the Open VSX Registry where attackers used a compromised developer account (oorzc) to publish four malicious extension updates that delivered the GlassWorm loader. The loader uses EtherHiding, runtime decryption, and Solana memos to fetch C2 and exfiltrate macOS credentials, browser data, and cryptocurrency wallet files, prompting removal of the poisoned versions and urging behavioral detection and rapid response. #GlassWorm #OpenVSX
Keypoints
- A supply chain attack on January 30, 2026, targeted four extensions published by oorzc on Open VSX.
- Malicious updates embedded the GlassWorm loader and were downloaded over 22,000 times before removal.
- The loader uses runtime decryption and EtherHiding to retrieve C2 infrastructure and evade static detection.
- GlassWorm exfiltrates macOS credentials, browser logins and cookies, cryptocurrency wallet files, iCloud Keychain, and developer artifacts like ~/.aws and ~/.ssh.
- Attackers abused a compromised developer account and use Solana memos for dynamic infrastructure rotation, increasing the need for behavioral detection and rapid incident response.
Read More: https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html