A new GlassWorm malware campaign is targeting macOS developer systems through compromised OpenVSX extensions. Continue reading this Cybersecurity Threat Advisory to learn more about this threat and how to protect your environment.
What is the threat?
A threat actor gained control of a legitimate OpenVSX publisher account (“oorzc”) and distributed malicious updates to four extensions, embedding a GlassWorm payload targeting macOS developer environments. The extensions were downloaded an estimated 22,000 times and were designed to steal sensitive data, including passwords, crypto‑wallet information, and developer credentials and configuration files.
Successful execution could enable account compromise, data exfiltration, and follow‑on access to source code repositories and cloud services.
Why is it noteworthy?
This incident represents a supply‑chain compromise via a trusted extension publisher account, enabling stealthy propagation into developer environments without relying on traditional phishing or exploit‑based delivery. Developer workstations often store high‑value secrets—such as SSH keys, Git tokens, cloud credentials, and API keys—making successful compromise particularly impactful.
The affected extensions had significant reach, with approximately 22,000 downloads, creating broad potential exposure among macOS developers using OpenVSX‑backed marketplaces.
The GlassWorm campaign underscores persistent adversary interest in developer‑centric supply chains. By compromising code editors, extension registries, or build tooling, attackers can harvest credentials and establish access paths into source control systems and downstream production environments.
What is the exposure or risk?
Users of editors or IDEs that rely on OpenVSX, including VS Code derivatives and open‑source tooling, may have received compromised extension updates that expose macOS systems to credential theft and data exfiltration. Stolen data reportedly includes passwords, wallet information, and developer credentials, enabling account compromise, repository access, cloud resource abuse, and potential lateral movement.
What are the recommendations?
Barracuda recommends the following actions to mitigate their risk:
- Inventory & exposure assessment:
- Identify developer workstations and CI hosts using OpenVSX‑connected editors (e.g., VS Code derivatives, Theia, VSCodium).
- Enumerate installed extensions and publishers; verify whether extensions from the “oorzc” publisher were installed or recently updated.
- On macOS, review common extension paths:
- ~/Library/Application Support/Code/extensions
- ~/.vscode-oss/extensions
- Platform‑specific directories for other IDEs (per vendor documentation).
- Immediate containment:
- Uninstall any identified compromised extensions and temporarily disable extension auto‑updates.
- Isolate potentially affected macOS systems and initiate forensic triage to assess credential theft or data exfiltration.
- Credential & secret rotation:
- Rotate exposed secrets, including SSH keys, Git PATs, cloud credentials (AWS/Azure/GCP), package manager tokens, and credentials stored in developer config files (~/.git-credentials, ~/.netrc, etc.).
- Re‑issue API keys and OAuth tokens; revoke previously issued credentials.
- Crypto‑wallet safeguards: Assume wallet material may be compromised; move funds to new wallets with freshly generated seeds and rotate associated secrets.
- macOS hunting & validation:
- Review LaunchAgents/LaunchDaemons for suspicious persistence.
- Inspect editor processes for unusual child processes or outbound connections.
- Review EDR telemetry for anomalous script execution or network activity following extension installs or updates.
- Network controls:
- Block known or suspicious indicators; enforce DNS filtering and outbound proxy inspection on developer endpoints.
- Apply relevant IDS/IPS/WAF detections and enable SSL inspection where policy permits.
- Secure extension management:
- Restrict allowed marketplaces and publishers; maintain approved extension allow‑lists.
- Enforce MFA and strong credential hygiene for marketplace publisher accounts.
- Incident response follow‑up:
- Preserve logs, memory, and extension artifacts; submit samples for analysis if exploitation is suspected.
- Audit source repositories, CI/CD pipelines, deployment keys, and recent commits; verify backups remain intact.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/
- https://www.darkreading.com/application-security/glassworm-malware-developer-ecosystems
- https://www.securityweek.com/open-vsx-publisher-account-hijacked-in-fresh-glassworm-attack/
- https://darknetsearch.com/knowledge/news/en/glassworm-attack-7-urgent-facts-on-the-macos-openvsx-hack/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.