嗯,用户让我用中文总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述。好的,首先我得仔细阅读文章内容。 文章主要讲的是GlassWorm恶意软件再次出现在Open VSX注册表和GitHub上,感染了三个VS Code扩展,这些扩展在被移除后又出现了。Koi Security的研究人员警告说,这些恶意软件通过感染扩展来传播,窃取用户的凭证,并且使用区块链技术更新C2地址。攻击者还利用AI生成的提交来隐藏恶意负载。 我需要把这些关键点浓缩到100字以内。首先提到GlassWorm重新出现的位置和时间。然后说明感染了多少扩展和下载量。接着提到攻击者使用的手段,比如区块链和AI生成的提交。最后指出恶意软件的危害,比如窃取凭证和潜在的影响。 现在组织语言:GlassWorm恶意软件再次出现在Open VSX和GitHub上,感染了三个VS Code扩展。攻击者利用区块链更新C2地址,并通过AI生成的提交隐藏恶意负载。这导致了约10,000次下载,并可能进一步传播。 检查一下字数是否在100字以内,并且没有使用禁止的开头语句。看起来符合要求。 </think> GlassWorm恶意软件再次出现在Open VSX和GitHub上,感染了三个VS Code扩展。攻击者利用区块链更新C2地址,并通过AI生成的提交隐藏恶意负载。这导致了约10,000次下载,并可能进一步传播。 2025-11-10 20:5:59 Author: securityaffairs.com(查看原文) 阅读量:5 收藏
GlassWorm malware has resurfaced on the Open VSX registry
Pierluigi Paganini
November 10, 2025
GlassWorm malware resurfaces in Open VSX and GitHub, infecting VS Code extensions weeks after its removal from the official marketplace.
GlassWorm malware has resurfaced on the Open VSX registry and newly appeared in GitHub repositories, infecting three more VS Code extensions just weeks after its removal from the official marketplace, Koi Security researchers warn.
In mid-October, hackers spread malware through about a dozen infected extensions to steal NPM, GitHub, and Git credentials. The malware also targets 49 cryptocurrency extensions. Koi Security reported around 35,000 downloads and warned that the malware could spread further by infecting other extensions and packages on compromised systems.
Koi researchers now report that three more VS Code extensions were infected on November 6, totaling approximately 10,000 downloads:
- ai-driven-dev.ai-driven-dev (3,300 downloads)
- adhamu.history-in-sublime-merge (4,000 downloads)
- yasuyuky.transient-emacs (2,400 downloads)
Threat actors used a Solana blockchain transaction to update C2 addresses, while the exfiltration server stayed the same.
“we detected a new wave of GlassWorm infections. Three more extensions compromised. A fresh Solana blockchain transaction providing new C2 endpoints. Same attacker infrastructure, still fully operational.” reads Koi’s report.
The researchers breached the attacker’s server, discovering victims worldwide, including a major Middle Eastern government entity. GlassWorm now threatens critical infrastructure, spreading through the developer ecosystem and jumping from OpenVSX to GitHub using AI-generated commits to hide its malicious payloads.
Koi reports attackers stole victims’ credentials, likely using their devices as proxy infrastructure. Keylogger data shows a Russian-speaking actor using RedExt C&C, multiple crypto exchanges, and messaging platforms.
All three OpenVSX extensions use invisible Unicode malware that runs as JavaScript while appearing blank in editors. Koi notified law enforcement, but the campaign likely affects many more than identified.
On October 31, 2025, Aikido Security found that GlassWorm spread to GitHub, hiding invisible Unicode malware in AI-generated commits that looked legitimate.
The payloads, delivered via the same Solana blockchain method, confirm it’s GlassWorm. Using stolen GitHub credentials, attackers pushed malicious commits to new repositories, proving the worm’s self-propagating nature.
“GlassWorm demonstrates why visibility and governance across the entire software supply chain is no longer optional. When malware can be literally invisible, when worms can self-propagate through stolen credentials, when attack infrastructure can’t be taken down – traditional security tools aren’t enough.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, OpenVSX)
如有侵权请联系:admin#unsafe.sh