Invisible malware spread via VS Code extensions
Update November 6: The leak has now been fixed. The Open VSX team confirmed the incident was fully contained and closed as of October 21.
Security Improvements Implemented
- Token lifetimes have been shortened to reduce leak risks.
- Withdrawals of tokens are now faster due to enhanced internal workflows.
- Security scans will be mandatory for extension publications.
- Collaboration with other marketplace operators to share risk mitigation strategies.
Details of the Attack
The Open VSX team was alerted after research by Wiz and a subsequent report from Koi Security revealed a new cyber threat targeting developers using Visual Studio Code.
Researchers at Koi Security named the attack "GlassWorm," describing it as a worm that propagates through infected VS Code extensions.
GlassWorm is notable for using invisible Unicode characters that hide malicious code from both developers and security tools, marking it as the first attack to exploit this method.
The infection started on the OpenVSX Marketplace, an open-source alternative to Microsoft's VS Code extension store. A popular extension, CodeJoy, was compromised in version 1.8.3.
Summary
This sophisticated malware exploited invisible characters to stealthily infect VS Code extensions, prompting swift and extensive platform security upgrades.
Would you prefer a more technical or a general audience tone for the summary?