Malware Still Active: GlassWorm Found Again in Open-VSX Packages

Contents

The supply chain attack via the Visual Studio Code marketplaces, discovered in mid-October, is apparently continuing: three more packages containing GlassWorm have appeared on the Eclipse Foundation's Open-VSX marketplace.

The packages use the same obfuscation techniques and employ the same attack patterns as the packages found in October. Shortly after the attack became known, the Eclipse Foundation officially declared it as completed and announced additional security measures.

According to the security company Koi, the three packages found in early November, ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs, have a combined total of nearly 10,000 downloads.

Again, the attack relies on the Solana blockchain and uses sequences of Unicode characters that many editors do not display. Hints of malware with the same patterns can also be found on GitHub.

The Invisible Glass Worm

Koi gave the malware the name GlassWorm in October because, on the one hand, it is invisible in the editor and, on the other hand, it is supposed to replicate itself – similar to the malware Shai Hulud found on npm in September.

However, GlassWorm does not replicate independently; it merely steals credentials, including those for GitHub, which attackers presumably use with AI support to distribute the malware.

The malware contains not only obfuscated code as usual but also relies on Unicode characters that are not meaningfully representable in the editor and therefore often not displayed at all. For this, it uses sequences of Unicode variation selectors. The result is invisible to human reviewers. Diff viewers and similar tools also do not display the actual differences but indicate that differences exist. In addition, a small piece of code must be visible to decode and execute the rest of the hidden code.

Blockchain for C2 Infrastructure

Thanks to the Solana blockchain, the infrastructure for the command-and-control servers is resilient against the shutdown of individual servers. The malware obtains links in Base64 format to the payload with the actual malware via the public blockchain.

This way, attackers can replace the C2 server at any time and publish the new address via the blockchain.

Also Active on GitHub

GlassWorm has now also appeared on GitHub, according to the Koi blog. Maintainers have reported that their repositories have received presumably AI-generated commits that, at first glance, appear to be relevant to the project and legitimate but contain code with GlassWorm's attack patterns, which is also invisible.

The blog post states that the commits on GitHub use Private Use Areas, i.e., Unicode characters designated for private use. This is intended to make the code invisible as well, although we were unable to replicate this in our tests.

Russian Group Suspected Behind Attacks

According to the Koi blog, after a tip from a security researcher who wishes to remain anonymous, the attackers left an endpoint on their server unsecured. Koi exploited the vulnerability to read data.

There, they found information about the companies and organizations affected by the attack, including a state institution from the Middle East.

Interestingly, according to Koi, keylogger data from the attacker was also found in the data. Among other things, it indicates that the attackers speak Russian and use the command-and-control framework RedExt.

Koi has passed the information on to law enforcement agencies to inform the victims and take action against the attackers.

(rme)