CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GlassWorm malware targets OpenVSX, VS Code registries

First reported
Last updated
2 unique sources, 18 articles

Summary

Hide ▲

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, now leveraging Solana dead drops for C2, a novel browser extension for surveillance, and the Model Context Protocol (MCP) ecosystem. The campaign delivers a .NET binary targeting Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline for session surveillance on cryptocurrency platforms like Bybit and harvests extensive browser data. Recent innovations include a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker' masquerading as WakaTime, which installs platform-specific Node.js native addons compiled from Zig code to stealthily infect all IDEs on a developer's machine. This dropper downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs, avoiding execution on Russian systems and communicating with the Solana blockchain for C2. A new large-scale social engineering campaign has emerged, distributing fake VS Code security alerts posted in GitHub Discussions to automate posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers. GlassWorm remains a persistent supply chain threat impacting npm, PyPI, GitHub, and Open VSX ecosystems. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six extensions have already been activated, while the remainder remain dormant or suspicious. The campaign leverages thin loaders that fetch secondary VSIX packages or platform-specific modules at runtime, marking a shift in the group's tactics to evade detection by avoiding direct malware embedding in initial uploads. The extensions mimic legitimate listings using identical icons and near-identical names to deceive developers. Developers who installed these extensions are advised to rotate all secrets and perform a full system clean-up. A compromised version of the Nx Console extension (rwl.angular-console version 18.95.0) targeting VS Code developers has been identified, distributing a multi-stage credential stealer and supply chain poisoning tool. The extension fetches an obfuscated 498 KB payload from a malicious orphaned commit in the nrwl/nx GitHub repository upon workspace opening, harvesting secrets via HTTPS, GitHub API, and DNS tunneling. It installs a macOS Python backdoor using the GitHub Search API as a dead drop resolver and includes Sigstore integration to generate cryptographically signed provenance, enabling attackers to publish seemingly legitimate npm packages. The exposure window lasted 11 minutes on May 18, 2026, and targeted non-Russian/CIS systems. Affected users are advised to rotate all reachable credentials and remove malicious artifacts.

Timeline

  1. 16.03.2026 21:37 5 articles · 2mo ago

    GlassWorm malware campaign targets Python repositories using stolen GitHub tokens

    A compromised version of the Nx Console extension (rwl.angular-console version 18.95.0) targeting VS Code developers has been identified, distributing a multi-stage credential stealer and supply chain poisoning tool. The extension silently fetches and executes a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository when a developer opens any workspace. The payload is a multi-stage credential stealer and supply chain poisoning tool that harvests developer secrets via HTTPS, the GitHub API, and DNS tunneling, and installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further commands. The root cause has been traced to one of the extension's developers, whose machine was compromised in a prior security incident that leaked their GitHub credentials. The leaked credentials were abused to push an orphaned, unsigned commit to nrwl/nx, introducing the stealer malware. The malware runs checks to avoid infecting machines likely located in the Russian/CIS time zones and operates as a detached background process to harvest credentials from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS. The payload includes full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation, enabling attackers to publish downstream npm packages with valid, cryptographically signed provenance attestations, making malicious packages appear legitimate. The exposure window for the compromised extension occurred between May 18, 2026, at 12:36 UTC and 12:47 UTC. Indicators of compromise include files such as ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*.* and running processes like a Python process running cat.py or one with __DAEMONIZED=1 in its environment. Affected users are recommended to terminate the aforementioned processes, delete artifacts on disk, and rotate all credentials reachable from the affected machine, including tokens, secrets, and SSH keys.

    Show sources
    Open in new tab
  2. 08.11.2025 18:17 7 articles · 6mo ago

    GlassWorm operators identified as Russian-speaking using RedExt C2 framework

    GlassWorm operators are Russian-speaking and use the RedExt open-source C2 browser extension framework. The malware has impacted systems globally, including the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security accessed the attackers' server and obtained key data on victims, including user IDs for multiple cryptocurrency exchanges and messaging platforms. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  3. 02.11.2025 17:09 5 articles · 6mo ago

    GlassWorm threat actors pivot to GitHub using Unicode steganography

    The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,400 downloads), adhamu.history-in-sublime-merge (4,000 downloads), and yasuyuky.transient-emacs (2,400 downloads). The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  4. 31.10.2025 10:02 6 articles · 6mo ago

    Eclipse Foundation revokes leaked tokens and introduces security measures

    Open VSX has implemented additional security measures, including shortening token lifetimes, faster revocation workflows, automated security scans, and threat intelligence sharing. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  5. 20.10.2025 19:13 14 articles · 7mo ago

    GlassWorm malware campaign targets OpenVSX and VS Code registries

    A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six of the extensions have already been activated, while researchers assess with high confidence that the rest are dormant or at least suspicious. When initially uploaded, the extensions are benign but deliver the payload at a later stage, revealing the attacker's true intention. This represents a shift in the attacker's strategy to introduce malicious payloads in subsequent updates rather than embedding them directly in the extensions, complicating early detection. The extensions act as thin loaders that fetch secondary VSIX packages from GitHub at runtime, load platform-specific compiled modules (.node files) containing core logic, or rely on heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions. The campaign continues to leverage compromised development ecosystems, including GitHub repositories, npm packages, and both the Visual Studio Code Marketplace and OpenVSX, reinforcing its persistent and adaptive nature. Developers who installed any of these extensions should assume compromise and rotate all secrets and passwords, performing a full system clean-up.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor

Three legitimate versions of the widely used node-ipc npm package (9.1.6, 9.2.3, and 12.0.1) were republished with malicious stealer/backdoor code by an unauthorized maintainer account named 'atiertant', triggering on require('node-ipc') and exfiltrating developer and cloud secrets to a rogue C2 server. The attack features novel evasion tactics including DNS-based exfiltration via a fake Azure-themed domain (sh.azurestaticprovider[.]net), conditional payload execution in version 12.0.1, and targeted collection of 90 categories of credentials. This incident follows a prior 2022 protest-related compromise where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus, yet node-ipc retains over 690,000 weekly downloads. Security vendors (Socket, Ox Security, Upwind) confirmed the malicious nature of the affected versions, which skip large files and avoid scanning .git and node_modules directories to reduce operational noise.

Open in new tab

Trojanized DAEMON Tools installers deliver multi-stage backdoor via signed software supply chain compromise

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates were trojanized to deliver a multi-stage malware payload since April 8, 2026, compromising three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—to activate an implant on launch. The attack was officially confirmed by Disc Soft Limited on May 6, 2026, which acknowledged unauthorized interference within its infrastructure and released a malware-free version (DAEMON Tools Lite 12.6) on May 5, 2026. The compromised versions (12.5.0.2421 to 12.5.0.2434) contacted the C2 domain env-check.daemontools[.]cc to receive commands executed via cmd.exe, leading to the deployment of payloads including envchk.exe, cdg.exe, and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign, attributed to a Chinese-speaking adversary, showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. The implant executed shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor with capabilities such as file exfiltration, command execution, and in-memory shellcode execution. Kaspersky telemetry observed several thousand infection attempts across over 100 countries, but second-stage backdoor delivery was highly targeted, with only a dozen hosts receiving follow-on malware. Infected systems receiving the backdoor belonged to organizations in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, with one educational institution in Russia receiving the QUIC RAT payload. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

Open in new tab

Authentication bypass vulnerability in cPanel and WHM exploited as zero-day prior to patch

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, WHM, and WP Squared has been mass-exploited in 'Sorry' ransomware attacks since May 2026, compromising at least 44,000 cPanel IP addresses globally. The flaw, a CRLF injection in login and session loading processes, allows attackers to bypass authentication and gain full control over cPanel hosts, enabling deployment of a Go-based Linux encryptor that appends the '.sorry' extension to files. Encryption uses ChaCha20 with RSA-2048 key protection, rendering decryption impossible without the threat actor's private key. Ransom notes with a fixed Tox ID are dropped in each compromised folder. cPanel released emergency fixes on April 28, 2026, addressing versions 11.110.0 through 11.136.0 and WP Squared 11.136.1, with approximately 1.5 million exposed instances identified via Shodan scans. Emergency mitigations included port blocking and service suspensions.

Open in new tab

OpenAI, TanStack, and Mistral AI Impacted in Escalating Mini Shai-Hulud Supply Chain Campaign

The Mini Shai-Hulud supply chain campaign escalated with a new wave of over 600 compromised npm packages—primarily in the @antv ecosystem but also affecting widely used libraries like echarts-for-react and timeago.js—deploying a heavily obfuscated credential-stealing payload targeting developer workstations and CI/CD environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Vercel, Netlify). The malware harvests and exfiltrates credentials (GitHub, npm, cloud providers, Kubernetes, Vault, Docker, database, SSH) using AES-256-GCM and RSA-OAEP encryption, with fallback exfiltration to GitHub repositories under victim accounts. A critical advance in this variant is its abuse of OIDC tokens from compromised CI environments to forge valid Sigstore provenance attestations via Fulcio and Reko, enabling malicious packages to bypass standard provenance verification despite containing the credential-stealer. The self-propagation mechanism validates stolen npm tokens, enumerates victim packages, injects the payload, and republishes infected versions with incremented numbers. Researchers observed 639 malicious versions across 323 packages in one hour, with over 2,700 rogue repositories created using stolen tokens. This development follows prior compromises of TanStack, Mistral AI, OpenAI, PyPI packages (Lightning, intercom-client), and GitHub Actions workflows ('actions-cool/issues-helper', 'actions-cool/maintain-one-comment'), reflecting the campaign's continued evolution and cross-platform reach. The campaign originated with the public release of the Shai-Hulud source code by TeamPCP, enabling rapid cloning and weaponization into variants such as 'chalk-tempalte', '@deadcode09284814/axios-util', 'axois-utils', and 'color-style-utils'. These earlier variants combined credential theft with additional threats like the 'Phantom Bot' DDoS botnet and leveraged developer tooling (VS Code, Claude Code) and CI/CD pipelines for persistence and propagation. Victims include OpenAI (two employee devices breached via TanStack), Mistral AI (trojanized SDKs released), SAP (four npm packages compromised), PyPI (Lightning 2.6.2/2.6.3, intercom-client 7.0.4), UiPath, Guardrails AI, OpenSearch, and hundreds of npm packages across multiple ecosystems. The malware's destructive sabotage component targets systems in Israel or Iran, activating a 1-in-6 probability payload that plays maximum-volume audio before deleting files. Attackers have established over 2,200 GitHub repositories marked with the campaign's exfiltration signature ('Shai-Hulud: Here We Go Again'), underscoring the scale and persistence of this multi-vector, multi-ecosystem intrusion set.

Open in new tab

Malicious Ledger Live macOS app on Apple App Store facilitates $9.5M crypto theft via seed phrase harvesting

A fraudulent Ledger Live macOS application, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ compromised approximately 50 users in early April 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit app tricked users into entering seed phrases, granting attackers full wallet control and enabling fund transfers to attacker-controlled addresses. The incident is part of the broader Apple App Store infiltration campaign dubbed FakeWallet, linked to the SparkKitty operation and active since at least fall 2025. Kaspersky identified 26 malicious apps impersonating major wallets (e.g., Ledger, MetaMask, Coinbase) to steal seed phrases and drain crypto assets, with malware delivered via libraries, injected code, or OCR-based recovery phrase theft. Some apps contained latent malicious features awaiting future activation, and the campaign’s modules lacked regional restrictions despite initial targeting of Chinese-speaking users. Apple began removing malicious apps after Kaspersky’s disclosure, freezing implicated KuCoin accounts until April 20, 2026. New details indicate the apps redirected users to fake App Store-like browser pages to distribute trojanized wallet versions, while some non-crypto apps (e.g., games, calculators) acted as placeholders to direct victims to official wallets under regulatory pretexts. Attackers used OCR modules to capture recovery phrases and employed sophisticated phishing tactics, including code hooking during entry and fake verification prompts, to maximize theft efficiency.

Open in new tab