Executive Summary
In late January 2026, a sophisticated supply chain attack compromised the Open VSX Registry, a platform for Visual Studio Code extensions. Threat actors gained unauthorized access to the developer account 'oorzc' and published malicious updates to four widely used extensions, collectively downloaded over 22,000 times. These updates embedded the GlassWorm malware loader, which, upon installation, targeted macOS systems to steal credentials, browser data, and cryptocurrency wallet information. The malware employed advanced evasion techniques, including locale-based profiling and utilizing the Solana blockchain for command-and-control communication, complicating detection and mitigation efforts. (socket.dev)
This incident underscores the escalating risks associated with software supply chain attacks, particularly within trusted development ecosystems. The use of blockchain technology for command-and-control highlights the evolving sophistication of threat actors, necessitating enhanced vigilance and robust security measures in software development and distribution processes.
Why This Matters Now
The GlassWorm attack highlights the urgent need for developers and organizations to scrutinize third-party extensions and implement stringent security protocols. The exploitation of trusted platforms for malware distribution poses significant risks, emphasizing the importance of continuous monitoring and rapid response strategies to mitigate potential breaches.
Attack Path Analysis
The GlassWorm campaign began by compromising developer accounts to distribute malicious updates via trusted VS Code extensions, leading to the installation of a multi-stage malware framework. This framework escalated privileges by deploying a remote access trojan (RAT) that established persistent control over infected systems. The malware then moved laterally by installing a malicious Chrome extension across different browsers, enabling further data collection. Command and control were maintained through Solana blockchain transactions, allowing the attackers to issue commands and retrieve stolen data covertly. Sensitive information, including credentials and cryptocurrency wallet data, was exfiltrated to external servers. The impact included unauthorized access to personal and financial data, leading to potential financial loss and privacy breaches.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised developer accounts to distribute malicious updates via trusted VS Code extensions, leading to the installation of a multi-stage malware framework.
MITRE ATT&CK® Techniques
User Execution: Malicious File
Command and Scripting Interpreter: JavaScript
Browser Extensions
Screen Capture
Input Capture: Keylogging
Steal Web Session Cookie
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security patches are installed within one month of release
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User and Device Authentication
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
GlassWorm infostealer targeting crypto wallets and session tokens poses critical risk to financial institutions through browser compromise and encrypted traffic exfiltration.
Computer Software/Engineering
Chrome extension masquerading as Google Docs threatens software development environments through keylogging, screenshot capture, and potential source code theft via browser sessions.
Information Technology/IT
Multi-stage RAT deployment exploiting east-west traffic and lateral movement capabilities directly threatens IT infrastructure security and zero trust implementations.
Computer/Network Security
Solana blockchain dead drops for command and control bypass traditional security controls, requiring enhanced egress filtering and anomaly detection capabilities.
Sources
- GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Datahttps://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.htmlVerified
- Invisible malicious code attacks 151 GitHub repos and VS Code — Glassworm attack uses blockchain to steal tokens, credentials, and secretshttps://www.tomshardware.com/tech-industry/cyber-security/malicious-packages-using-invisible-unicode-found-in-151-github-repos-and-vs-codeVerified
- GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developershttps://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.htmlVerified
- New GlassWorm attack targets macOS via compromised OpenVSX extensionshttps://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the GlassWorm campaign as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may limit the malware's ability to communicate with other workloads, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the RAT's ability to interact with other systems, reducing the scope of its control.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security may restrict the malware's ability to propagate across systems, limiting data collection efforts.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely detect and limit unauthorized command and control communications, reducing the attacker's ability to manage compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement may limit the exfiltration of sensitive data, reducing the impact of the breach.
The implementation of CNSF controls would likely reduce the overall impact by limiting the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Software Development
- Version Control Systems
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
Estimated downtime: 7 days
Estimated loss: $50,000
Developer credentials, source code repositories, and cryptocurrency wallet information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous activities across cloud environments.
- • Enforce East-West Traffic Security to secure internal communications and prevent unauthorized access between workloads.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads in real-time.
