High

Analysis Summary

Security researchers have identified a fourth wave of the GlassWorm malware campaign targeting macOS developers through malicious extensions hosted on OpenVSX and the Microsoft Visual Studio Marketplace. These extensions masquerade as legitimate Visual Studio Code add-ons while delivering trojanized payloads, including cryptocurrency wallet malware.

GlassWorm was first observed in October, embedded in extensions using invisible Unicode characters to conceal malicious code. Early versions targeted Windows systems and focused on stealing GitHub, npm, and OpenVSX credentials, along with cryptocurrency wallet data. The malware also enabled remote access via VNC and allowed attackers to proxy traffic through compromised machines using a SOCKS proxy.

Despite being publicly exposed, GlassWorm resurfaced multiple times—first in early November on OpenVSX, again in early December on VSCode, and now in its latest iteration targeting macOS exclusively. Unlike previous waves that used Unicode obfuscation or Rust binaries, the newest campaign embeds an AES-256-CBC–encrypted payload within compiled JavaScript. The malicious code activates after a 15-minute execution delay, likely to evade sandbox detection.

The malware now uses AppleScript instead of PowerShell and establishes persistence via LaunchAgents rather than registry modifications. Its Solana blockchain–based command-and-control (C2) infrastructure remains unchanged, with evidence of infrastructure reuse across campaigns.

Beyond targeting more than 50 browser-based crypto extensions, GlassWorm now attempts to steal macOS Keychain passwords and checks for installed hardware wallet applications such as Ledger Live and Trezor Suite. It attempts to replace these with trojanized versions, although researchers note this capability is currently non-functional, suggesting the attackers are still preparing the payloads.

Three malicious OpenVSX extensions linked to this campaign have recorded over 33,000 downloads, though download metrics may be artificially inflated. Developers who installed these extensions are strongly advised to remove them immediately, rotate credentials, revoke access tokens, and thoroughly inspect or reinstall affected systems.

Impact

• Unauthorized Access
• Data Exfiltration
• Financial Loss

Indicators of Compromise

Remediation

• Immediately uninstall the identified malicious VSCode/OpenVSX extensions to stop further malicious activity
• Reset GitHub account passwords to prevent unauthorized repository access
• Revoke and regenerate NPM tokens to block abuse of compromised developer credentials
• Rotate any exposed API keys, secrets, or authentication tokens
• Scan the system for persistence mechanisms such as suspicious LaunchAgents
• Check macOS Keychain for unauthorized access or compromised credentials
• Verify integrity of installed cryptocurrency wallet applications
• Reinstall affected cryptocurrency wallet software from official sources
• Monitor network traffic for unusual outbound connections or SOCKS proxy activity
• Review browser extensions and remove any unknown or unnecessary add-ons
• Apply endpoint security solutions capable of detecting malicious extensions
• Restrict extension installation to trusted publishers only
• Keep VS Code, macOS, and development tools fully up to date
• Consider a full system reinstall if signs of deep compromise are detected