Cybersecurity researchers have uncovered a sophisticated campaign targeting developers through malicious packages embedded in popular development tools and marketplaces. Extensions for Visual Studio Code, along with libraries for Go, npm, and Rust, have been found to contain malware designed to steal sensitive developer data, hijack browser sessions, and even establish remote access.

Key Takeaways

• Malicious VS Code extensions disguised as themes and AI assistants have been discovered, stealing data and hijacking sessions.

• Compromised packages in Go, npm, and Rust ecosystems are also exfiltrating sensitive information.

• The "GlassWorm" malware utilizes invisible Unicode characters to evade detection and spreads autonomously.

• Attackers are leveraging blockchain technology and other advanced techniques for command and control.

Malicious VS Code Extensions Unleash Data Theft

Two extensions on the Visual Studio Code Marketplace, masquerading as a premium dark theme and an AI coding assistant, were found to harbor stealer malware. These extensions, "BigBlack.bitcoin-black" and "BigBlack.codo-ai," were capable of downloading additional payloads, capturing screenshots, and siphoning data, including Wi-Fi passwords, clipboard contents, and browser session cookies. The stolen information was transmitted to attacker-controlled servers. Microsoft has since removed these extensions, along with a third, "BigBlack.mrbigblacktheme," from the marketplace.

Earlier versions of the malware employed PowerShell scripts to download password-protected ZIP archives, while later iterations used batch scripts and commands for a more stealthy approach. The final payload often involved DLL hijacking using legitimate binaries like Lightshot to execute malicious code.

Broader Ecosystem Compromised

The threat extends beyond VS Code, with malicious packages identified across other development ecosystems. Socket reported the discovery of:

• Go packages (github.com/bpoorman/uuid and github.com/bpoorman/uid) that typosquat trusted libraries and exfiltrate data to a paste site.

• A set of 420 npm packages with naming patterns like "elf-stats-*" that can execute reverse shells and exfiltrate files.

• A Rust crate named finch-rust that impersonates a legitimate tool and acts as a loader for a credential-stealing payload called sha-rust.

The Evolving GlassWorm Campaign

The "GlassWorm" malware campaign, initially detected in October, has resurfaced in its third wave, targeting both the OpenVSX and Microsoft Visual Studio Code marketplaces. This self-propagating worm uses "invisible Unicode characters" to conceal its malicious code from human review and static analysis tools. Once installed, GlassWorm attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data. It also deploys SOCKS proxies and installs HVNC clients for stealthy remote access.

Attackers are employing sophisticated methods for command and control, including the Solana blockchain and Google Calendar events, making takedowns challenging. The malware can also spread autonomously by using stolen account information to compromise additional extensions. Researchers noted that VS Code extensions auto-update, meaning users could be infected silently without any interaction.

Recommendations for Developers and Organizations

Security experts advise developers and organizations to take immediate action:

• Disable automatic extension updates.

• Carefully review and vet all installed extensions.

• Block access to untrusted marketplaces.

• Log out of developer tools and reboot machines.

• Revoke and rotate any potentially compromised credentials.

• Monitor workstations for suspicious network activity and processes.

• Implement least privilege access controls and robust incident response plans.

The increasing sophistication of these supply chain attacks underscores the critical need for vigilance within the developer community and enhanced security measures across software development pipelines.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data, The Hacker News.

• Malicious VS Code Extensions Found Stealing Developer Data, Hijacking Browser Sessions, CXO Digitalpulse.

• Glassworm malware returns in third wave of malicious VS Code packages, BleepingComputer.

• Self-propagating worm found in marketplaces for Visual Studio Code extensions, InfoWorld.

• Self-spreading GlassWorm malware hits OpenVSX, VS Code registries, BleepingComputer.