GlassWorm Sleeper Extensions Activate on Open VSX, Shift to GitHub-Hosted VSIX Malware
The GlassWorm malware campaign has evolved to deploy 'sleeper' extensions on Open VSX that are subsequently weaponized to download malicious VSIX payloads hosted on GitHub. The malware employs sophisticated evasion techniques, including Russian geofencing, source-to-compiled code mismatches, and utilizing the Solana blockchain as a dead-drop resolver for command and control, ultimately leading to arbitrary Node.js code execution across multiple developer IDEs.
Authors: Socket
Source:
Socket
- urlhxxps://github[.]com/chiara585/fwefwewvwfe/releases/download/dqdwd/qwdfewfqzxv.vsixMalicious VSIX payload downloaded by the weaponized lauracode.wrap-selected-code extension.
- urlhxxps://github[.]com/francesca898/dqwffqw/releases/download/vsx/autoimport-smart-tool-2.5.8.vsixMalicious VSIX payload downloaded by the weaponized 96-studio.json-formatter extension.
Key Takeaways
- The GlassWorm campaign uses 'sleeper' extensions on Open VSX that appear benign initially but are later updated to deliver malicious loaders.
- Malicious payload delivery has shifted from Open VSX to GitHub-hosted VSIX files, evading registry-side takedowns.
- The malware utilizes the Solana blockchain as a dead-drop resolver for C2 communication, querying a hardcoded wallet address via multiple RPC endpoints.
- Attackers hide the malicious loader in the compiled JavaScript (extension.js), keeping the visible TypeScript source clean to evade source-level code review.
- The loader force-installs the malicious VSIX into multiple detected IDEs (VS Code, Cursor, VSCodium, Windsurf, Positron) using CLI tools.
Affected Systems
- VS Code
- VSCodium
- Cursor
- Windsurf
- Positron
- macOS
- Windows
- Linux
Attack Chain
Attackers publish benign 'sleeper' extensions to Open VSX and later update other extensions to act as extension packs that pull in these sleepers as dependencies. Once activated, the sleeper's malicious loader (hidden in the compiled JavaScript) checks for Russian locales to avoid execution and establishes a 48-hour persistence mechanism via a JSON file in the user's home directory. It then queries a hardcoded Solana wallet address via RPC endpoints to resolve its C2 payload URL, fetching and executing arbitrary Node.js code. Finally, the malware downloads a malicious VSIX from GitHub and force-installs it across all detected IDEs on the host system.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide explicit detection rules (such as YARA or Sigma) but highlights behavioral indicators, such as line count anomalies between source and compiled code, for detection engineering.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the IDE process spawning CLI commands to install extensions and potentially the Node.js arbitrary code execution, but the initial JavaScript execution within the IDE context might blend in with normal developer activity. Network Visibility: Medium — Network monitoring can spot connections to Solana RPC endpoints and GitHub releases, but the traffic is HTTPS and the C2 payload is encrypted. Detection Difficulty: Hard — The use of sleeper extensions, source/compiled mismatches, blockchain-based dead-drop resolvers, and GitHub for payload hosting makes static and network detection highly challenging.
Required Log Sources
- Process Creation Logs
- Network Connection Logs
- File Creation Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for IDE processes (e.g., code.exe, cursor.exe) spawning child processes with the '--install-extension --force' arguments. | Process Creation Logs | Propagation | Medium |
| Monitor for unusual network connections from IDE processes to known Solana RPC endpoints or unexpected GitHub release URLs. | Network Connection Logs | Command and Control | Low |
| Detect anomalies in extension file sizes or line counts, specifically where the compiled JavaScript (extension.js) significantly outweighs the source TypeScript (extension.ts). | File System Logs / Static Analysis | Defense Evasion | Low |
Control Gaps
- Static source code analysis (misses compiled JS injection)
- Domain-based C2 blocking (bypassed by Solana blockchain dead-drop resolver)
Key Behavioral Indicators
- IDE processes executing '--install-extension --force'
- Large line count discrepancies between src/extension.ts and out/extension.js (e.g., 18.3x ratio)
- IDE processes querying Solana RPC endpoints
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Remove identified malicious extensions (e.g., lauracode.wrap-selected-code, 96-studio.json-formatter) from all developer environments.
- Block access to the identified GitHub release URLs and Solana RPC endpoints used by the malware.
Infrastructure Hardening
- Implement strict allowlisting for IDE extensions, preventing the installation of unapproved or newly published extensions.
- Monitor and restrict outbound network connections from developer workstations to unnecessary blockchain RPC endpoints.
User Protection
- Deploy EDR solutions to developer endpoints to monitor for suspicious child processes spawned by IDEs.
- Educate developers on the risks of typosquatted extensions and the importance of verifying extension publishers.
Security Awareness
- Train development teams to review not just the source code but also the compiled artifacts of third-party dependencies.
- Establish a policy for vetting and approving IDE extensions before they can be used in the corporate environment.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1204 - User Execution
- T1480 - Execution Guardrails
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
- T1583.006 - Acquire Infrastructure: Web Services
- T1102.001 - Web Service: Dead Drop Resolver
Additional IOCs
- Domains:
solana-rpc[.]publicnode[.]com- One of the 9 Solana RPC endpoints queried by the malware for C2 resolution.
- File Paths:
extension/out/extension.js- Compiled JavaScript file where the obfuscated malware loader is injected.src/extension.ts- Clean TypeScript source file used to mask the malicious compiled JavaScript.
- Command Lines:
- Purpose: Force-installs the downloaded malicious VSIX into detected IDEs. | Tools:
IDE CLI (e.g., code, cursor)| Stage: Propagation/Installation |--install-extension --force
- Purpose: Force-installs the downloaded malicious VSIX into detected IDEs. | Tools:
- Other:
laura6909- Threat actor publisher account for lauracode.wrap-selected-code.martina0094- Threat actor publisher account for 96-studio.json-formatter and rubyideext.ruby-ide-extension.chiara585- GitHub account hosting malicious VSIX and Open VSX publisher of pubruncode.ccoderunner.francesca898- GitHub account hosting malicious VSIX payloads.