A fourth wave of the GlassWorm campaign is targeting macOS developers with malicious Visual Studio Code and OpenVSX extensions that deliver trojanized crypto wallet apps and steal developer credentials, with download counters showing more than 33,000 installs.
KEY FACTS
- Targets macOS developers via VSCode/OpenVSX extensions
- Install count more than 33,000 downloads
- Payload AES-256-CBC encrypted JavaScript that delays execution for 15 minutes
- Capabilities credential theft, Keychain access and attempts to replace hardware wallet apps
- Persistence uses LaunchAgents and a Solana blockchain based command and control
A technical analysis by Koi Security found that the campaign focuses on macOS and embeds an AES-256-CBC encrypted payload inside compiled JavaScript in OpenVSX extensions.
The malicious logic waits about 15 minutes before running, uses AppleScript for actions and registers LaunchAgents for persistence while keeping a Solana blockchain based command and control mechanism.
The observed extension names include studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro and Puccin-development.full-access-catppuccin-pro-extension.
Once active the malware tries to harvest GitHub, npm and OpenVSX credentials, browser data, more than 50 browser cryptocurrency extensions and Keychain passwords. Data exfiltration and persistence functionality remain operational.
The code attempts to check for Ledger Live and Trezor Suite and replace them with trojanized copies. The replacements were returning empty files, which suggests the attacker infrastructure or payloads may still be in preparation.
Developers who installed the named extensions are advised to remove them, reset GitHub passwords, revoke npm tokens and check or reinstall affected systems.
WHY IT MATTERS
The campaign targets developer tooling and cryptocurrency workflows, raising the risk to developer accounts and wallet security. Encrypted payloads, persistent mechanisms and a blockchain based C2 make detection and response more complex.