Cybersecurity researchers from Socket’s Threat Research team have identified a developer-compromise supply chain attack targeting macOS users, where malicious versions of popular developer extensions were used to distribute the GlassWorm malware via the Open VSX Registry.
The attack relied on hijacking a legitimate developer’s account to push poisoned updates, allowing the malware to spread quietly to thousands of unsuspecting users.
Legitimate Extensions Used To Spread Malware
According to a report from Socket’s security research team, threat actors gained unauthorized access to the Open VSX account of a developer known as “oorzc.” The attackers used stolen or leaked publishing credentials to release malicious updates to four popular Visual Studio Code extensions that had been considered safe for over two years.
The following affected extensions had collectively amassed more than 22,000 downloads on Open VSX before the malicious updates were identified:
- FTP/SFTP/SSH Sync Tool (ssh-tools— v0.5.1)
- I18n Tools (i18n-tools-plus— v1.6.8)
- vscode mindmap (mind-map— v1.0.61)
- scss to css (scss-to-css-compile— v1.3.4)
The malicious updates were published on January 30, 2026, marking a significant shift in how GlassWorm campaigns are distributed.
How The GlassWorm Malware Operates
Once installed, the poisoned extensions deploy an encrypted loader associated with the GlassWorm malware family. The loader profiles the infected system and activates only if it confirms the machine is running macOS. Systems configured with a Russian locale are explicitly excluded — a tactic often observed in malware campaigns believed to originate from Russian-speaking regions.
After execution, GlassWorm establishes persistence on infected Macs via a LaunchAgent that runs at every user login. It then begins harvesting a wide range of sensitive information.
Researchers say GlassWorm collects data from multiple sources, including:
- Login credentials, cookies, and browsing history from Firefox and Chromium-based browsers
- Desktop cryptocurrency wallet files such as MetaMask, Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, TonKeeper
- macOS Keychain and iCloud Keychain data
- Safari cookies and Apple Notes databases
- Developer credentials, including AWS keys, SSH configurations, and GitHub authentication artifacts
- Files from the Desktop, Documents, and Downloads folders
- VPN configuration files, including FortiClient
“This campaign shows a clear escalation in Open VSX supply chain abuse. The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions,” Socket notes.
All stolen data is staged locally before being exfiltrated to attacker-controlled infrastructure linked to previous GlassWorm operations.
Solana Blockchain Used For Command-and-Control
One of the more unusual aspects of this campaign is its use of the Solana blockchain for command-and-control. Instead of relying on hardcoded servers, the malware retrieves instructions from Solana transaction memos, allowing attackers to rotate infrastructure without pushing new malicious updates.
Security experts say this technique makes detection harder and reduces the effectiveness of traditional detection methods.
Open VSX Response To The Incident
Socket reported the compromised packages to the Eclipse Foundation, which operates the Open VSX Registry. The Open VSX security team confirmed unauthorized publishing activity, revoked compromised tokens, and removed the malicious releases from the registry.
As of writing, Open VSX operator Eclipse Foundation has removed the malicious releases, and all the available versions of the affected extensions are clean.
What Developers Should Do Now
While the malicious extensions have been removed, security experts warn that the removed extensions do not automatically uninstall from developers’ editors.
Developers who installed the affected versions are advised to:
- Perform a full system scan and malware clean-up
- Rotate all passwords, API keys, SSH keys, and developer tokens
- Review systems for suspicious LaunchAgents and unusual outbound network traffic
- Reinstall any cryptocurrency wallet or hardware wallet software from trusted sources
