Cybersecurity

Cyber: Open Vsx Supply Chain Attack Used Compromised Dev Account To Spread...

2026-02-02 0 views admin
Cyber: Open Vsx Supply Chain Attack Used Compromised Dev Account To Spread...

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer's resources to push malicious updates to downstream users.

"On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader," Socket security researcher Kirill Boychenko said in a Saturday report.

"These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."

The supply chain security company said that the supply chain attack involved the compromise of the developer's publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized access. The malicious versions have since been removed from the Open VSX.

The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm. The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data.

At the same time, the malware is detonated only after the compromised machine has been profiled, and it has been determined that it does not correspond to a Russian locale, a pattern commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors to avoid domestic prosecution.

The kinds of information harvested by the malware include -

The targeting of developer information poses severe risks as it exposes enterprise environments to potential cloud account compromise and lateral movement attacks.

"The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation," Boychenko said.

A significant aspect of the attack is that it diverges from previously observed GlassWorm indicators in that it makes use of a compromised account belonging to a legitimate developer to distribute the ma

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views