A fourth wave of the “GlassWorm” campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.

Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.

The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft’s proprietary marketplace.

The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using “invisible” Unicode characters.

Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim’s machine via a SOCKS proxy.

Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.

GlassWorm back on OpenVSX

Koi Security researchers discovered a new GlassWorm campaign that targets macOS systems exclusively, a departure from the previous ones that focused only on Windows.

Instead of the invisible Unicode seen in the first two waves, or compiled Rust binaries used in the third one, the most recent GlassWorm attacks use an AES-256-CBC–encrypted payload embedded in compiled JavaScript in the OpenVSX extensions:

1. studio-velte-distributor.pro-svelte-extension
2. cudra-production.vsce-prettier-pro
3. Puccin-development.full-access-catppuccin-pro-extension

The malicious logic executes after a 15-minute delay, likely in an attempt to evade analysis in sandboxed environments.

Instead of PowerShell, it now uses AppleScript, and instead of Registry modification, it uses LaunchAgents for persistence. The Solana blockchain-based command-and-control (C2) mechanism remains unchanged, though, and researchers say that there is also infrastructure overlap.

Apart from targeting over 50 browser crypto extensions, developer credentials (GitHub, NPM), and browser data, GlassWorm now also attempts to steal Keychain passwords.

Additionally, it now features a new capability where it checks for hardware cryptocurrency wallet apps like Ledger Live and Trezor Suite on the host, and replaces them with a trojanized version.

However, Koi Security notes that this mechanism is currently failing because the trojanized wallets are returning empty files.

“This could mean the attacker is still preparing the macOS wallet trojans, or the infrastructure is in transition,” explains Koi Security.

“The capability is built and ready – it’s just waiting for payloads to be uploaded. All other malicious functionality (credential theft, keychain access, data exfiltration, persistence) remains fully operational.”

When BleepingComputer checked if the malicious extensions were still available on OpenVSX, the platform showed a warning for two of them, informing that their publisher was unverified.

The download counters show more than 33,000 installs, but such figures are frequently manipulated by threat actors to make the files appear more trustworthy.

Developers who have installed any of the three extensions are recommended to remove them immediately, reset their GitHub account passwords, revoke their NPM tokens, check their system for signs of infection, or reinstall it.