Executive Summary
In late January 2026, a sophisticated supply chain attack compromised the Open VSX Registry, an open-source marketplace for Visual Studio Code extensions. Threat actors gained unauthorized access to a trusted developer's account, 'oorzc,' and injected malicious code into four widely-used extensions: FTP/SFTP/SSH Sync Tool, I18n Tools, vscode mindmap, and scss to css. These extensions, collectively downloaded over 22,000 times, delivered the GlassWorm malware, which targeted macOS systems to exfiltrate sensitive data, including browser credentials, cryptocurrency wallets, and developer secrets. The malware employed advanced evasion techniques, such as locale checks to avoid Russian systems and utilizing the Solana blockchain for command-and-control communications. (thehackernews.com)
This incident underscores the escalating threat of supply chain attacks within the developer ecosystem. The exploitation of trusted extensions highlights the need for enhanced security measures in open-source platforms. Organizations must prioritize the integrity of their development tools and implement robust monitoring to detect unauthorized modifications promptly.
Why This Matters Now
The GlassWorm attack exemplifies the growing sophistication of supply chain threats targeting developer environments. As open-source tools become integral to software development, ensuring their security is paramount to prevent widespread compromise and data breaches.
Attack Path Analysis
The GlassWorm malware campaign began with the compromise of a legitimate developer's account on the Open VSX Registry, allowing attackers to distribute malicious updates to widely-used extensions. Once installed, the malware executed an infostealer that harvested sensitive data from macOS systems, including browser credentials and cryptocurrency wallets. The malware then established command and control channels using encrypted communications and blockchain-based techniques to evade detection. Finally, the exfiltrated data was transmitted to attacker-controlled servers, leading to potential financial loss and unauthorized access to sensitive information.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised a legitimate developer's account on the Open VSX Registry and distributed malicious updates to popular extensions.
Related CVEs
CVE-2025-6705
CVSS 5.3A vulnerability in the Eclipse Open VSX Registry's automated publishing system allowed unauthorized uploads of extensions due to improper isolation in build scripts, potentially exposing a privileged token.
Affected Products:
Eclipse Foundation Open VSX Registry – prior to June 24, 2025
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Obfuscated Files or Information
Web Protocols
Screen Capture
Keylogging
Valid Accounts
Symmetric Cryptography
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
GlassWorm's supply-chain attack targeting Open VSX components directly threatens software development pipelines, requiring enhanced egress security and zero trust segmentation.
Information Technology/IT
Self-replicating malware poisoning developer ecosystems creates significant risk for IT infrastructure management, demanding multicloud visibility and threat detection capabilities.
Computer/Network Security
Supply-chain compromise of development tools exposes security vendors to infostealer infections, necessitating strengthened east-west traffic security and anomaly detection.
Financial Services
Developer ecosystem infections pose critical risk to financial institutions' software supply chains, requiring compliance with PCI/HIPAA standards and encrypted traffic protection.
Sources
- GlassWorm Malware Returns to Shatter Developer Ecosystemshttps://www.darkreading.com/application-security/glassworm-malware-developer-ecosystemsVerified
- Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safehttps://www.techradar.com/pro/security/dangerous-new-malware-targets-macos-devices-via-openvsx-extensions-heres-how-to-stay-safeVerified
- Attackers Hijack Open VSX Extensions to Spread GlassWorm Malwarehttps://hivepro.com/threat-advisory/attackers-hijack-open-vsx-extensions-to-spread-glassworm-malware/Verified
- Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWormhttps://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the GlassWorm incident as it could have limited the malware's ability to move laterally, exfiltrate data, and establish command and control channels, thereby reducing the overall impact of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial compromise of a developer's account, it could limit the malware's ability to propagate within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the malware's access to sensitive data by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the malware's lateral movement by monitoring and controlling internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling outbound traffic.
With Aviatrix controls in place, the scope of data exfiltration could likely be reduced, thereby limiting potential financial loss and unauthorized access.
Impact at a Glance
Affected Business Functions
- Software Development
- Version Control
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: 7 days
Estimated loss: $500,000
Developer credentials, including AWS and SSH keys; browser data; cryptocurrency wallet information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit the spread of malware within the network.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to monitor and manage security across all cloud environments.
- • Regularly audit and monitor developer accounts and extension repositories to detect and prevent unauthorized access.
