Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe

News
By published

GlassWorm malware is expanding to open source platforms

Side view of data analyst pointing with finger at charts on computer monitor while testing protection of computer systems
(Image credit: Shutterstock)
  • GlassWorm malware campaign expanded from VS Code Marketplace to Open VSX
  • Four compromised extensions delivered macOS infostealer stealing browser data, wallets, and keychain info
  • Extensions downloaded 22,000 times; attackers excluded Russian systems, hinting at Russian origin

GlassWorm, the malware campaign which targeted VS Code developers on Microsoft’s official Visual Studio Code marketplace, has now expanded to open source alternatives, experts have claimed.

Recently, security researchers Socket said they discovered four extensions in Open VSX, an open, vendor-neutral marketplace for editor extensions (mainly used by developers who work with VS Code-compatible editors).

These extensions started off as benign, but have been compromised at one point, and used to deliver an infostealer to MacOS users in typical supply-chain attack style. Here is the list of the compromised extensions:

oorzc.ssh-tools v0.5.1

oorzc.i18n-tools-plus v1.6.8

oorzc.mind-map v1.0.61

oorzc.scss-to-css-compile v1.3.4

Cleaning up after the attack

They were updated to include malware on January 30, after staying legitimate for roughly two years.

The malware loads a macOS infostealer that harvests sensitive data from browsers (Firefox and Chromium), cryptocurrency wallet extensions and apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem.

Everything is then exfiltrated to an attacker-owned server.

In total, the extensions were downloaded 22,000 times, the researchers said, hinting at a relatively successful campaign. What’s more, the campaign targets exclusively macOS devices, while excluding Russian-locale systems, which could mean the attackers are of Russian origin.

Socket notified Open VSX operators Eclipse Foundation of their findings, and the platform revoked tokens and removed the malicious releases. This doesn’t mean everyone is safe, though. Users who downloaded the extensions must still remove them, scan their systems for any remnants of malware, and rotate their credential, to fully mitigate the risks.

One of the extensions - oorzc.ssh-tools - was completely removed from Open VSX since it contained multiple malicious versions, it was said. Other extensions were simply cleaned up and returned to the platform.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.