"If the compromised extensions are folded into code, they harvest NPM, GitHub, and Git credentials left by developers in their work, drain funds from 49 cryptocurrency wallets, deploy SOCKS proxy servers on developer computers, install hidden VNX servers for remote access, and use stolen credentials to compromise additional packages and extensions. Seven OpenVSX extensions were compromised last week and were downloaded over 35,000 times, the report says. In addition, another infected extension was detected in the VS Code marketplace over the weekend."
"The worms in the extensions evade detection using an old technique: Including malware written with Unicode variation selectors. These are special characters that are part of the Unicode specification but don't produce any visual output. "To a developer doing code review, it looks like blank lines or whitespace," says Koi Security. "To static analysis tools scanning for suspicious code, it looks like nothing at all." But to a JavaScript interpreter, it's executable code."
GlassWorm is a self-propagating worm found in OpenVSX and Microsoft VS Code extension marketplaces. The malware harvests NPM, GitHub, and Git credentials left by developers, drains funds from 49 cryptocurrency wallets, deploys SOCKS proxy servers on developer machines, installs hidden VNX remote-access servers, and uses stolen credentials to compromise additional packages and extensions. Seven OpenVSX extensions were compromised and downloaded over 35,000 times, and an additional infected extension was detected in the VS Code marketplace. The worm evades detection by embedding malware using Unicode variation selectors that appear as whitespace to reviewers and some scanners. CISOs should treat it as an immediate security incident because extensions inherit full VS Code permissions once installed.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]