Malware-laced extensions on the open source Open VSX marketplace have targeted macOS developers, exposing how trusted community-driven platforms can be weaponised at scale against modern software supply chains.
The Open VSX marketplace, a widely used open-source extension repository serving millions of developers, has been compromised with malicious extensions designed to steal cryptocurrency, credentials, and sensitive system data. The attack marks a significant supply-chain breach within the open-source ecosystem.
The latest campaign specifically targets macOS developers, signalling a shift from earlier Windows-focused activity. The malware, a self-replicating worm known as GlassWorm, is now in its fourth wave and has been active for approximately two and a half months.
Threat actors distributed the malicious extensions directly through Open VSX, which supports Visual Studio Code and forked editors such as Cursor. Researchers identified three malicious extensions that collectively amassed over 50,000 downloads before being removed. One extension masqueraded as “Prettier Pro,” presenting itself as a customisable code formatting tool, while others posed as productivity-enhancing utilities.
“The GlassWorm actor isn’t just persistent – they’re evolving. And now they’re coming for your Mac,” Koi Security researchers said.
Once installed, the malware delays execution by 15 minutes to evade sandbox detection and uses AES-256-CBC encryption to conceal its payload within JavaScript files. Unlike earlier Windows variants, the macOS version abandons Unicode tricks and Rust binaries.
“The attacker is fishing where the fish are. Developers use Macs. Especially in crypto, web3, and startup environments – exactly the victims GlassWorm wants to compromise,” researchers noted.
GlassWorm uses the Solana blockchain for command-and-control, replacing hardware wallet applications and targeting more than 50 crypto wallets and browser extensions. It steals GitHub and NPM tokens, SSH keys, Keychain passwords, VPN configurations, and browser data.
“All other malicious functionality (credential theft, keychain access, data exfiltration, persistence) remains fully operational,” researchers warned.
Open VSX has urged developers to report malicious extensions at openvsx@eclipse-foundation.org.
