- Threat actors compromised a legitimate developer’s account on the Open VSX Registry to publish malicious versions of four extensions.
- The poisoned extensions delivered the GlassWorm malware loader, designed to steal cryptocurrency data and developer credentials.
- The malware specifically avoided infecting machines with a Russian locale, a common evasion tactic.
- Over 22,000 downloads had been recorded for the now-compromised extensions prior to the attack.
On February 2, 2026, cybersecurity researchers revealed a significant supply chain attack that compromised the popular Open VSX Registry. Unidentified threat actors hijacked a legitimate developer’s account to push malicious updates to widely used developer tool extensions. According to a report by Socket security researcher Kirill Boychenko, these poisoned versions delivered a dangerous malware loader.
The attack specifically targeted four extensions published under the account “oorzc,” including FTP/SFTP/SSH Sync Tool and vscode mindmap. These extensions had accumulated more than 22,000 downloads before the malicious releases were published. The Open VSX security team assessed that the developer’s publishing credentials were compromised, possibly through a leaked token.
Consequently, the malicious updates delivered a payload associated with the known GlassWorm campaign. This malware used an EtherHiding technique to fetch command-and-control servers. It was also programmed to profile a victim’s machine and avoid execution if a Russian locale was detected.
Meanwhile, the malware’s primary function was to steal sensitive information for financial gain. Its targets included data from Firefox and Chromium-based browsers, such as login credentials and cryptocurrency wallet extensions like MetaMask. It also hunted for specific cryptocurrency wallet files from Electrum, Exodus, Ledger Live, and Trezor Suite.
The malware further sought developer credentials from directories like `~/.aws` and `~/.ssh`. Boychenko noted, “The payload includes routines to locate and extract authentication material used in common workflows.” This data theft posed severe risks for lateral movement within enterprise environments.
However, this incident marked a tactical shift in the GlassWorm campaign’s methods. Instead of using typosquatting, the actors leveraged a legitimate, compromised developer account. Socket said this approach allowed the threat actor to blend into normal workflows and hide behind encrypted loaders.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
