WebAssembly Malware Found in Trojanized Open VSX Extensions

216.73.216.6

WebAssembly Malware Found in Trojanized Open VSX Extensions

· Published 16/06/2026 06:27 · Modified 16/06/2026 11:18

Essential information

Published: 16/06/2026 06:27
Modified: 16/06/2026 11:18
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: chacha20 encryption cryptocurrency targeting dead-drop c2 glasswasm open vsx solana blockchain supply chain tinygo vs code extensions webassembly
Tags: 2026-06-16 chacha20 encryption cryptocurrency targeting dead-drop c2 glasswasm open vsx solana blockchain supply-chain tinygo vs code extensions webassembly
Related entities: 12 indicators, 12 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 2 others

Description

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.