73 Open VSX Sleeper Extensions Linked to GlassWorm

EXECUTIVE SUMMARY:

Open VSX extensions tied to GlassWorm have been found to be sleeper extensions, designed to look legitimate but containing malware delivery vehicles. These extensions were published by newly created GitHub accounts with only one or two public repositories, one of which is empty and named with an eight-character string. This is a tactic used by threat actors to build trust and credibility before delivering malware through the normal update path.[emaillocker id="1283"]

The GlassWorm campaign targeting Open VSX continues to escalate, with a new cluster of 73 impersonation extensions connected to the same sleeper-extension activity. At least six of these extensions have already been activated to deliver malware, while the remaining extensions appear to be high-confidence sleepers or related suspicious extensions. This suggests a coordinated effort to compromise the Open VSX marketplace. The use of sleeper extensions allows threat actors to maintain a low profile while still delivering malware, making it difficult to detect and mitigate the threat.

The implications of this discovery are significant, as it highlights the need for developers to be cautious when using Open VSX extensions. It also underscores the importance of monitoring dependencies and proactively blocking malicious open source packages to prevent malware delivery. This is a reminder that even seemingly legitimate extensions can contain hidden threats, and developers must be vigilant in their use of open source code.

THREAT PROFILE:

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/73-open-vsx-sleeper-extensions-linked-to-glassworm-malware/

https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm