EXECUTIVE SUMMARY:
Malicious Open VSX extensions, specifically exargd/[email protected] and noellee-doc/[email protected], were discovered to be trojanized with WebAssembly malware embedded in a renamed TinyGo loader. The malware uses ChaCha20 string encryption to conceal its command-and-control infrastructure, which is resolved from the Solana mainnet blockchain via getSignaturesForAddress and getTransaction RPC calls. The second-stage host is retrieved from an on-chain SPL Memo instruction and used to build a cross-platform download-and-execute command via child_process in a script payload. The malware's use of WebAssembly as a stager suggests a new pivot to binary loading for obfuscation purposes. The malware's ChaCha20 string encryption makes it difficult to detect by signatures simply using natural language or readable strings.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Malicious Open VSX extensions, specifically exargd/[email protected] and noellee-doc/[email protected], were discovered to be trojanized with WebAssembly malware embedded in a renamed TinyGo loader. The malware uses ChaCha20 string encryption to conceal its command-and-control infrastructure, which is resolved from the Solana mainnet blockchain via getSignaturesForAddress and getTransaction RPC calls. The second-stage host is retrieved from an on-chain SPL Memo instruction and used to build a cross-platform download-and-execute command via child_process in a script payload. The malware's use of WebAssembly as a stager suggests a new pivot to binary loading for obfuscation purposes. The malware's ChaCha20 string encryption makes it difficult to detect by signatures simply using natural language or readable strings.[emaillocker id="1283"]
Once deobfuscated, the module's purpose is unambiguous: it polls the Solana mainnet JSON-RPC API for transactions sent to an attacker-controlled wallet, reads the attacker's instructions out of the on-chain SPL Memo field, and uses that to build and execute an OS-specific download-and-execute command via Node's child_process. The Solana blockchain is used as a takedown-resistant command-and-control (C2) dead-drop: there is no hardcoded server to seize or sinkhole, and the operator can rotate second-stage infrastructure simply by posting a new transaction.
The tradecraft in this module overlaps significantly with the GlassWorm supply-chain campaign, which compromised 400+ components across npm, the VS Code Marketplace, Open VSX, and GitHub between and. The use of Solana transaction memos sent to a watched wallet as a takedown-resistant C2 dead-drop that resolves a rotating second-stage host is a defining innovation of GlassWorm. This sample matches the vector exactly: a single account published identity-cloned trojanized extensions to Open VSX under impersonated namespaces (ExarGD, noellee-doc) on /10, reusing the names, versions, and repo links of legitimate, verified VS Code Marketplace extensions.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial access | T1195 | Supply Chain Compromise | - |
| Initial access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defence Evasion | T1140 | Deobfuscate/Decode Files or Information | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Command & Control | B0030 | C2 Communication |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Execution | E1204 | User Execution |
| Impact | B0022 | Remote Access |
| Exfiltration | E1020 | Automated Exfiltration |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Command & Control | E1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further technical details:
https://socket.dev/blog/glasswasm-malware-open-vsx-extensions