"A new cyber threat is affecting developers worldwide who work with Visual Studio Code. Researchers at Koi Security have discovered an attack they call GlassWorm. It is a worm that spreads itself via infected VS Code extensions. According to Koi Security, it is the first attack of its kind to use so-called invisible Unicode characters, which make malicious code literally invisible to developers and security tools."
"GlassWorm goes beyond a traditional supply chain attack. The malware uses the Solana blockchain as its command-and-control infrastructure. Instead of receiving instructions from a central server, the worm reads data from the memo field of Solana transactions. This makes communication permanent, anonymous, and impossible to block. As a backup mechanism, the attacker even uses a Google Calendar event that hides an encrypted link to new instructions. This keeps the network active even if certain parts are removed."
GlassWorm is a worm that spreads via infected Visual Studio Code extensions by inserting malicious code hidden with invisible Unicode characters so manual inspection appears normal. The campaign began on the OpenVSX Marketplace when a popular extension, CodeJoy version 1.8.3, was infected. The worm uses the Solana blockchain memo field as a decentralized, persistent command-and-control channel and uses a Google Calendar event as a backup distribution mechanism for encrypted instruction links. Distribution also occurs through npm and GitHub using stolen authentication tokens to publish malicious packages and compromise repositories. The final stage includes a Zombi module that installs a remote access trojan.
#glassworm #vs-code-extensions #invisible-unicode-characters #solana-blockchain #supply-chain-malware
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]