{ "name": "WebAssembly Malware Found in Trojanized Open VSX Extensions", "slug": "webassembly-malware-found-in-trojanized-open-vsx-extensions", "description": "Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.", "published": "2026-06-16T04:27:32.065000+00:00", "created_at": "2026-06-16T11:18:51.595000+00:00", "modified_at": "2026-06-16T09:18:51+00:00", "created_at_opencti": "2026-06-16T11:18:51.595000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "chacha20 encryption", "cryptocurrency targeting", "dead-drop c2", "glasswasm", "open vsx", "solana blockchain", "supply chain", "tinygo", "vs code extensions", "webassembly" ], "tags": [ "2026-06-16", "chacha20 encryption", "cryptocurrency targeting", "dead-drop c2", "glasswasm", "open vsx", "solana blockchain", "supply-chain", "tinygo", "vs code extensions", "webassembly" ], "related_entities": { "observables": [ { "id": "", "name": "45.150.34.158" }, { "id": "", "name": "https://dodod.lat/darwin/i/_" }, { "id": "", "name": "http://dodod.lat/win32/i/_" }, { "id": "", "name": "https://dodod.lat/win32/i/_" }, { "id": "", "name": "http://dodod.lat/linux/i/_" }, { "id": "", "name": "http://dodod.lat/darwin/i/_" }, { "id": "", "name": "https://dodod.lat/" }, { "id": "", "name": "https://dodod.lat/linux/i/_" }, { "id": "", "name": "558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f" }, { "id": "", "name": "3aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58" }, { "id": "", "name": "1e283327ad048bea39f4a8501770858a20f3555e87fe3e202274f2e87f8a3c25" }, { "id": "9cd554f2-e099-44a3-9286-3699476c0955", "name": "dodod.lat" } ], "malware": [ { "id": "legacy:malware:be43c5078d63f12b", "name": "GlassWASM", "slug": "glasswasm" } ], "intrusion_sets": [ { "id": "67c1aee2-e138-4172-a6ab-9c500c039e6b", "name": "GlassWorm", "slug": "glassworm" } ], "attack_patterns": [ { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "cf746a02-00ea-419e-912d-7b03f969c491", "name": "T1518.001" }, { "id": "d3254e3b-07e6-4420-96e0-2e107ce17712", "name": "T1102.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "0b534d7b-0850-41a7-9bc5-f2e6162eea42", "name": "T1195.001" }, { "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4", "name": "T1497.003" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "dodod.lat" } ], "indicators": [ { "id": "eb582147-2326-46be-9eaa-4c5a796baf20", "name": "558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f" }, { "id": "63a617af-9473-41e0-8da0-fbc2c8c72a08", "name": "https://dodod.lat/darwin/i/_" }, { "id": "8ac1a00b-4d38-499e-854d-d1332c354ac6", "name": "http://dodod.lat/win32/i/_" }, { "id": "e769decf-8317-4c21-b918-e934b3fa81fc", "name": "45.150.34.158" }, { "id": "195ada92-14b4-46ef-bd64-028d38920755", "name": "https://dodod.lat/win32/i/_" }, { "id": "d0d60aa9-e32d-4c5c-8c66-aa03b500aa68", "name": "3aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58" }, { "id": "2de7daa9-1e4e-4a12-9e7f-797e60bd694c", "name": "http://dodod.lat/linux/i/_" }, { "id": "e7930e9d-7fa9-4a2b-9054-f265e561aade", "name": "http://dodod.lat/darwin/i/_" }, { "id": "075f9664-5025-47be-bee5-0ded1ae48087", "name": "https://dodod.lat/" }, { "id": "be7cf8df-c89d-4082-81fd-ed108f215885", "name": "https://dodod.lat/linux/i/_" }, { "id": "78d4c552-d764-45cf-86d9-43ccd8eb08fd", "name": "dodod.lat" }, { "id": "9f26ba7a-2f0b-439f-81ea-7fa3c8a055c1", "name": "1e283327ad048bea39f4a8501770858a20f3555e87fe3e202274f2e87f8a3c25" } ] }, "external_refs": [ "https://socket.dev/blog/glasswasm-malware-open-vsx-extensions", "https://otx.alienvault.com/pulse/6a30d0b403db287f819b47e9" ] }