Three Visual Studio Code (VS Code) extensions have been revealed to steal GitHub, Open VSX and cryptocurrency wallets credentials.
The attack was discovered by cybersecurity company Koi Security and was called Operation GlassWorm, indicating that thousands of developer systems were infected by the extensions. The malicious code was also dormant and only reactivated several months later allowing credential theft and compromise of the supply chain on a massive scale.
Malicious code bypasses web development messages
According to Koi Security, the attackers integrated the invisible code into the lawful-appearing VS Code developer programs offered on the Visual Studio Marketplace as well as the Open VSX Registry. NPM tokens, GitHub logins, and Git credentials were stolen by the hidden scripts and provided cybercriminals with access to hijacking repositories and further propagating the malware into the software supply chain.
The study team affirmed that 49 extensions of cryptocurrency wallets were also involved in the same campaign, which enabled cybercriminals to drain user funds and steal their personal information. After activation, the malware installs SOCKS proxy servers as well as hidden VNC access, which transforms those machines of the developers into controlled systems in a criminal proxy network.
Open VSX eliminates malicious extensions
On October 21, Open VSX confirmed all the known malicious extensions were removed, and tokens that were compromised were revoked and rotated. But new developments have created evidence that GlassWorm returned on October 17 with enhanced Unicode obfuscation. The latest malware evades the majority of detection software, with seven extensions, with more than 35,000 downloads combined, being infected.
According to the telemetry of Koi, there are at least ten infected extensions that are still live and give out malware. The company further indicated that it had not shut down its command-and-control servers, which are being exploited to infiltrate new targets.
CodeJoy outs unmasks unicode attack
It was evident that the attack occurred when the risk engine of Koi identified an Open VSX extension called CodeJoy following the suspicious code modification in version 1.8.3. Even though it seemed legitimate, researchers detected malicious code in the second line to seventh line of the source. The selectors of unprintable Unicode variations employed by the attackers rendered the payload not visible to human eyes and to any tools of static analysis.
CodeJoy invincible code. Source: Koi Research
Decoded samples showed that there was a second stage payload system whose control channel is the Solana blockchain. The malware searches the transactions of a particular wallet address, interprets the memo field with encrypted links transferring new payloads. With the help of every new transaction attackers can update the malware commands practically in real time.
The researchers at Koi Security proved that the threat actors also keep publishing new Solana transactions, thus keeping the campaign going on. The company cautions that such a command system powered by blockchain enables the attack to be very tenacious and hard to interfere with.
