Tag Archive for: malware

Once again malware found in US Code Extensions

in

In November 2025, cybersecurity researchers reported a new wave of malware targeting Visual Studio Code (VS Code) extensions. The campaign, called GlassWorm, was first identified by Koi Security in late October and has since resurfaced on other extensions.

Three extensions are still available in the Open VSX registry, a public repository that mirrors the Microsoft Extension Marketplace. The affected extensions are ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads) and yasuyuky.transient-emacs (2,431 downloads). The extensions contained code hidden with invisible Unicode characters, a technique that hides malicious payloads from ordinary code reviews and static analysis tools.

Glassworm

GlassWorm’s objectives are threefold: first, it collects login credentials from the Open VSX registry, GitHub and various cryptocurrency wallet extensions; second, it robs funds from some 49 wallet extensions; and third, it installs additional tools that enable remote access to infected machines. The malware also spreads further by using the stolen login credentials to compromise other extensions.

Open VSX discovered the malicious extensions on Oct. 21, after which it removed them and rotated the associated access tokens. Despite these measures, recent analysis by Koi Security indicates that it is still possible to infect new extensions via the same Unicode trick. In addition, a new transaction on the Solana blockchain was observed. This transaction contained an updated C2 endpoint, which enables the malware to download the next payload. According to researchers Idan Dardikman, Yuval Ronen and Lotan Sery of Koi Security, the use of blockchain for command-and-control (C2) illustrates the attackers’ resilience: even when a hosting server goes offline, a low-cost transaction is sufficient to publish a new endpoint, after which infected systems automatically retrieve the new location.

Distribution

During additional research, the security vendor identified an endpoint that had been inadvertently exposed on the attacker’s server. The endpoint yielded a partial list of victims spread across the United States, South America, Europe and Asia, including a key government agency in the Middle East. The suspected origin of the malware came to light via keylogger data, presumably from a machine owned by the attackers themselves. Analysts identified the threat actor as Russian-speaking and discovered that it uses the open-source browser extension-C2 framework RedExt.

In a related study, Aikido Security published findings showing that GlassWorm has broadened its focus to GitHub. Stolen GitHub login credentials are now being used to push malicious commits into repositories, increasing the potential damage to open source projects.

Magecart attack claims 8.8 million victims worldwide

in

Security researchers discovered a web-skimming operation that claimed more than 8.8 million victims worldwide. Since January 2022, the criminals attacked legitimate Web shops, injecting malware into the checkout process to steal credit card information.

Magecart

The campaign is an example of a Magecart attack. Magecart refers to a collection of criminal groups that inject malicious JavaScript code into legitimate online stores. The name originated in attacks on sites built on the Magento platform, but the methods have spread to many other e-commerce systems over time. Silent Push’s team traced the operation to a domain, cdn-cookie.com, hosted on a so-called bullet-proof hosting service formerly known as Stark Industries and now renamed THE[.]Hosting under Dutch ownership.

Analysis of the malware

When a customer visits a compromised checkout page, the injected script – often called recorder.js or tab-gtm.js – executes in the browser. It first checks the Document Object Model (DOM) for an element called wpadminbar, a toolbar that appears on WordPress sites when an administrator is logged in. If the toolbar is detected, the script removes itself from the page and stops executing, a technique designed to avoid detection by site administrators.

The malware is activated when the DOM of the page changes, which happens as soon as a user performs an action on the site. Next, the script checks to see if the user has selected Stripe as the payment method. If Stripe is selected, the script looks for the flag wc_cart_hash in the localStorage of the browser. The mechanism ensures that the user is targeted only once.

When the flag is missing, the script replaces the legitimate Stripe form with a fake form that appears identical to the real one. The fake form collects the credit card and contact information and sends it the domain lasorie.com. Because the script hides the original Stripe fields, the payment gateway reports an error at checkout, making it appear that the customer has entered incorrect information. If the user tries again, the malware does not become active again, so the payment works the second time and the user does not realize anything.

Distribution

Worldwide, there are more than 8.8 million victims of this online skimming. Webshop owners can protect their customers by preventing their website from being hacked by ensuring that their website is hardened, security updates are performed on time and the website is security tested, such as with a pen test.

Want to know if your webshop is secure? Get in touch with us. We would love to help you!