Here you will find all news items from CyberAnt

Once again malware found in US Code Extensions

in

In November 2025, cybersecurity researchers reported a new wave of malware targeting Visual Studio Code (VS Code) extensions. The campaign, called GlassWorm, was first identified by Koi Security in late October and has since resurfaced on other extensions.

Three extensions are still available in the Open VSX registry, a public repository that mirrors the Microsoft Extension Marketplace. The affected extensions are ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads) and yasuyuky.transient-emacs (2,431 downloads). The extensions contained code hidden with invisible Unicode characters, a technique that hides malicious payloads from ordinary code reviews and static analysis tools.

Glassworm

GlassWorm’s objectives are threefold: first, it collects login credentials from the Open VSX registry, GitHub and various cryptocurrency wallet extensions; second, it robs funds from some 49 wallet extensions; and third, it installs additional tools that enable remote access to infected machines. The malware also spreads further by using the stolen login credentials to compromise other extensions.

Open VSX discovered the malicious extensions on Oct. 21, after which it removed them and rotated the associated access tokens. Despite these measures, recent analysis by Koi Security indicates that it is still possible to infect new extensions via the same Unicode trick. In addition, a new transaction on the Solana blockchain was observed. This transaction contained an updated C2 endpoint, which enables the malware to download the next payload. According to researchers Idan Dardikman, Yuval Ronen and Lotan Sery of Koi Security, the use of blockchain for command-and-control (C2) illustrates the attackers’ resilience: even when a hosting server goes offline, a low-cost transaction is sufficient to publish a new endpoint, after which infected systems automatically retrieve the new location.

Distribution

During additional research, the security vendor identified an endpoint that had been inadvertently exposed on the attacker’s server. The endpoint yielded a partial list of victims spread across the United States, South America, Europe and Asia, including a key government agency in the Middle East. The suspected origin of the malware came to light via keylogger data, presumably from a machine owned by the attackers themselves. Analysts identified the threat actor as Russian-speaking and discovered that it uses the open-source browser extension-C2 framework RedExt.

In a related study, Aikido Security published findings showing that GlassWorm has broadened its focus to GitHub. Stolen GitHub login credentials are now being used to push malicious commits into repositories, increasing the potential damage to open source projects.

Large-scale attack on popular npm packages: millions of websites and apps potentially affected

in

Several widely used npm-packages (software building blocks) have been infected with malicious code. This happened after a successful phishing attack on one of the administrators of these building blocks. An npm-package is a building block that developers can use in their software so they don’t have to reprogram frequently used components every time. As a result, building blocks end up everywhere: in custom software as well as in standard products. Together, the infected components are downloaded and used more than 2 billion times a week by developers worldwide.

Phishing

The attackers gained access to the repository through a phishing email. The attack targeted Josh Junon (also known as Qix), a developer who is co-manager of several popular packages. Qix has the rights to add and approve new code, making his account sufficient to spread this malware.

Junon received a phishing email that looked very much like it came from npm itself, telling him to renew his two-step authentication (2FA) via a link before Sept. 10, 2025. When he followed this link, he was taken to a fake website where he entered his username, password and 2FA code. This data was immediately intercepted by criminals through a so-called Adversary-in-the-Middle attack, which allowed them to gain access to his account. With that access, the attackers were then able to publish infected versions of twenty popular packages in the official npm library.

On BlueSky , Junon responded, “Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.”

Which packages are affected?

Among others, the following NPM packages contain temporarily malicious code:

  • chalk (widely used to display text in color in software tools)

  • debug (widely used for debugging)

  • ansi-regex, ansi-styles, wrap-ansi, strip-ansi (components that work with text formatting)

  • color-convert, color-string, color-name (for color management in software)

Together, these packages account for two billion downloads per week. Because they are often reused as building blocks in other packages, the infection was able to spread widely.

Especially risk for crypo providers

Analysis of the malware revealed that it was designed to steal cryptocurrency. The malicious code began by checking if it was running in a browser, then hooked into functions such as window.fetch, XMLHttpRequest and window.ethereum.request. These are components that websites use to exchange data and control crypto-wallets. This allowed the code to imperceptibly replace the recipient’s wallet address with that of the attacker during a payment, with the forged address resembling the original and therefore barely noticeable.

This type of attack comes under the heading of software supply chain attack. A supply chain attack involves attacking not the end user directly, but a link in the software supply chain. Similar attacks have been seen before, for example through typosquatting (offering a package with a nearly the same name as a popular package) or through slopsquatting (capitalizing on mistakes made by AI systems that recommend incorrect package names).

In this case, the malware specifically targets developers offering crypto-related services, so most software is unlikely to be affected even if it is infected.

Age verification on the Internet: what about privacy?

in

Currently, 18+ content is often shielded with a pop-up where the user must certify that they are 18+, something best described as a wash. The European Union is working on a system to improve age verification on the Internet as a temporary precursor to the digital identity card (EUDI wallet). Behind that seemingly simple question “Are you 18 or older?” lies a tricky problem: How do you verify someone’s age without compromising privacy?

What might that look like?

Worldwide, more countries are thinking about this idea or have even introduced it already. In some countries, for example, citizens are expected to upload their passport or driver’s license or have a facial scan performed, something that obviously has huge privacy implications. The system envisioned by the EU is better. It is a derivative, or rather precursor to the EUDI wallet. This is the digital proof of identity that will allow us to identify ourselves online in the future. The age verification system is essentially similar to the wristband system used at festivals: the bartender can tell by the color of your wristband that you are old enough to order a beer, but otherwise does not know who you are.

The system works roughly as follows:

  • You log in to the age verification app through an official entity (for example, a government, your bank or an approved identity provider).
  • That authority gives you a cryptographic proof: for example, “This person is 18 years of age or older.”
  • This proof is separate from the website you want to log into, so the identity provider does not know where you will use this proof.
  • When you go to a website (for example, examplesite.co.uk), you show that proof.
  • The website checks the proof and sees: this person is 18+, but otherwise does not see who you are.

So where is the problem?

That wristband at a festival works fine as long as it is a color-coded number given to every visitor 18+. But imagine it has a unique number. And imagine every bartender writing down that number. In the hospitality industry this would be weird, but digitally everything is logged. At the end of the, the catering manager could ask all the bartenders for the numbers, and know exactly what you ordered where. Combine that with camera footage and you’re suddenly a lot less anonymous.

In the “age proof” system now under development, a proof has a unique characteristic per person. Suppose the owner of examplesite.co.uk also runs viezeplaatjes.co.uk and gokpaleis123.co.uk. By logging the unique attribute, he can see exactly that you came to all those sites. Does he also run a webshop where you buy something? Then he has your name and address information and can link your entire surfing behavior to your real identity.

It would be even worse if a company like Google built a handy plug-in for website owners where they could support this tricky protocol just by clicking “install.” Never mind those cookies: this would be the most robust way of online tracking.

Zero knowledge proof

One promising technique to solve this privacy problem is called zero-knowledge proof. In short, this is a cryptographic way to prove something without revealing the underlying information. Specifically, it works like this: your identity provider generates a digital proof based on your data, but encrypted in such a way that a website can only verify that the proof is valid for “18+,” without learning anything else about you. Each time you create such a proof, it can be constructed differently, so websites cannot link it to previous proofs.

However, the fact that evidence can no longer be traced back to an individual also creates new problems, because how do you prevent someone from lending their wristband to someone else? One solution could be to store the evidence in a secure piece in hardware, but this requires that the majority of EU citizens have a device that supports this, something that is not currently the case. Still, zero knowledge proof seems to be the only way to keep the Internet privacy-friendly. All in all, privacy and online age verification seem to be and especially complicated duo.

Magecart attack claims 8.8 million victims worldwide

in

Security researchers discovered a web-skimming operation that claimed more than 8.8 million victims worldwide. Since January 2022, the criminals attacked legitimate Web shops, injecting malware into the checkout process to steal credit card information.

Magecart

The campaign is an example of a Magecart attack. Magecart refers to a collection of criminal groups that inject malicious JavaScript code into legitimate online stores. The name originated in attacks on sites built on the Magento platform, but the methods have spread to many other e-commerce systems over time. Silent Push’s team traced the operation to a domain, cdn-cookie.com, hosted on a so-called bullet-proof hosting service formerly known as Stark Industries and now renamed THE[.]Hosting under Dutch ownership.

Analysis of the malware

When a customer visits a compromised checkout page, the injected script – often called recorder.js or tab-gtm.js – executes in the browser. It first checks the Document Object Model (DOM) for an element called wpadminbar, a toolbar that appears on WordPress sites when an administrator is logged in. If the toolbar is detected, the script removes itself from the page and stops executing, a technique designed to avoid detection by site administrators.

The malware is activated when the DOM of the page changes, which happens as soon as a user performs an action on the site. Next, the script checks to see if the user has selected Stripe as the payment method. If Stripe is selected, the script looks for the flag wc_cart_hash in the localStorage of the browser. The mechanism ensures that the user is targeted only once.

When the flag is missing, the script replaces the legitimate Stripe form with a fake form that appears identical to the real one. The fake form collects the credit card and contact information and sends it the domain lasorie.com. Because the script hides the original Stripe fields, the payment gateway reports an error at checkout, making it appear that the customer has entered incorrect information. If the user tries again, the malware does not become active again, so the payment works the second time and the user does not realize anything.

Distribution

Worldwide, there are more than 8.8 million victims of this online skimming. Webshop owners can protect their customers by preventing their website from being hacked by ensuring that their website is hardened, security updates are performed on time and the website is security tested, such as with a pen test.

Want to know if your webshop is secure? Get in touch with us. We would love to help you!

CyberAnt moved to Zeewolde

in
Read more

CyberAnt ISO 27001 and 9001 certified

in
Read more

Subsidy for web shops

in
Read more

How secure is your network?

in
Read more