VS Code
-
CrowdStrike and partners disrupt GlassWorm malware command channels
CrowdStrike said it and partners disrupted all command and control channels used by GlassWorm, a developer-targeting malware campaign that poisoned more than 300 GitHub repositories and used four separate infrastructure layers.
-
Compromised Nx Console VS Code extension targeted developers in supply chain breach
A compromised Nx Console VS Code extension spread credential-stealing malware to developers after being published on the Microsoft marketplace. The incident affected more than 2.2 million installations and prompted update and credential-rotation warnings.
-
Researchers flag 73 fake VS Code extensions tied to GlassWorm campaign
Researchers flagged 73 fake Visual Studio Code extensions on Open VSX tied to the GlassWorm campaign. Six were confirmed malicious, while the rest were sleeper packages designed to build trust before delivering malware.
-
North Korean linked actors use malicious VS Code projects to deploy backdoor
Jamf reported North Korean linked actors abused Visual Studio Code task files to execute obfuscated JavaScript that fetches backdoors and enables remote code execution targeting developers who clone and open repositories.
-
Evelyn Stealer targets VS Code extensions to harvest developer credentials
Trend Micro published a technical analysis describing Evelyn Stealer, an information stealer distributed via malicious VS Code extensions. The malware harvests developer credentials and crypto wallets and uploads data to an FTP server.
-
North Korea-linked actors exploit React2Shell flaw to deploy EtherRAT using Ethereum-based C2
Sysdig reported that actors tied to North Korea exploited a critical React Server Components flaw to deploy EtherRAT, a Node.js-based remote access trojan that uses Ethereum smart contracts and RPC consensus for C2 resolution and multiple Linux persistence mechanisms.
-
Researchers find VS Code extensions that install stealer malware, Microsoft removes packages
Researchers and security firms found two malicious Visual Studio Code extensions that stole credentials, screenshots and browser data; Microsoft removed the packages and analysts warned developers to review extensions and supply-chain risks.
-
Glassworm malware returns with 24 malicious VS Code packages on OpenVSX and Microsoft marketplace
The Glassworm malware has returned in a third wave with 24 malicious VS Code extension packages on OpenVSX and the Microsoft Visual Studio Marketplace, using obfuscation and Rust‑based implants to steal credentials, deploy proxies and enable remote access.
-
Malicious Open VSX extension delivers SleepyDuck RAT and uses Ethereum contract for fallback control
Researchers warned that a malicious Open VSX extension, juan-bianco.solidity-vlang, installs a SleepyDuck remote access trojan that uses an Ethereum smart contract and a fallback RPC mechanism to update its command-and-control details.
-
TA415 Uses Visual Studio Code Remote Tunnels in Targeted U.S.-China Policy Espionage Campaign
A China-aligned threat actor known as TA415 carried out spear-phishing campaigns targeting U.S. policy and economic-relations circles, using VS Code Remote Tunnels and a Python loader, WhirlCoil, to establish a persistent backdoor and harvest data amid ongoing U.S.-China trade talks, according to Proofpoint.
