As I tend to do every night before bed, I clicked through my favorite Discord servers a last time to see if I missed something interesting, and mark everything as read. I didn't expect this to keep me awake for another hour while I learn about the latest malware going around - and I'm equally amazed and afraid. This is the most sophisticated attack ever, or at least I have ever seen.
This worm targets developers right now, but it's not far from being able to infect regular users in the near future.
Let me give you a quick run-down of what it does:
It started with an extension for Visual Studio Code, a very popular IDE (basically an editor with extra functions) for developers. The extension named CodeJoy provides productivity tools including AI, is updated regularly, and was downloaded several hundreds of times. Extensions are automatically updated on the user's system when a new version is released.
In version 1.8.3, the extension turned into malware. But they hid it incredibly well. There are certain special unicode characters, which do not produce visual output. They're not shown by diff views, and are not recognized by tools scanning for suspicious code. So with the usual code review techniques, this code doesn't look dangerous, or like anything at all.
But the javascript interpreter will decode them.
This invisible code looks for transactions from a Solana blockchain address, and reads the memo field. The memo contains a url, from which the malware downloads the real malicious code. This is an extremely clever use of the blockchain. The attacker can easily update the url if his server is shut down, there's no way to prevent him from propagating new urls. Nobody can delete the transactions, and the wallet address is not traceable to a person. In short, there's no way to shut him down now.
The code downloaded from this server targets 49 different crypto wallets, including Metamask and Coinbase Wallet, to drain them. But it doesn't stop there.
It also harvests credentials for the Visual Code marketplace (OpenVSX), Github, NPM, and pushes the invisible code into packages the infected developer has write access to. This is what makes it a self-replicating worm.
Furthermore it installs hidden remote access which allows the attackers to connect to the machine directly and sets up a proxy for it to act as an access point to more infrastructure in the network the machine is connected to even if it's behind a firewall.
So far it has infected approximately 35,000 developers, and at least 7 VS code extensions.
I skipped some more functions and details to keep this post from getting too long (and allow me to finally go to bed soon). To learn everything about it please refer to the original blog post from Koi Security, who discovered it.
So what does that mean for developers and regular users?
We all pretty much can not trust new versions of any package we install on our machines or use in our code any more. Auto-updating is now a serious security risk, and even with a manual review of the code it's easy to miss the invisible malicious code.
Devs need to be extra vigilant about possible compromised workstations and malicious updates to their open source packages.
And it's now more important than ever for everyone to use separate devices for crypto and everything else.
Scary times. Stay safe out there!
This is terrifying.
Generally speaking, I don’t trust any precompiled programs.
I believe it’s safer to compile from source — after all, countless eyes are watching the code. I never imagined that malicious software could have such sophisticated ways of hiding itself.
For ordinary users, this is even more of a nightmare. They usually choose to trust developers, often overlooking the fact that a developer’s device or code could also be compromised.
It seems there really is a need to use a dedicated device — and only the most basic applications — when handling cryptocurrency operations.
whoaa that is crazy! thx for sharing
100% excellent advice.
Thank you @pharesim ....you have my attention!
It has been a lingering thought for some time....'to get a separate computer'...thank you for this prompt.
Kind Regards, Bleujay
Back in July, I noticed phising email that did something similar using the blockchain as a layer: Phishing on the Blockchain: A Fascinatingly Complex Redirect
As much as I don't condone the malicious behavior, you have to admit it is genius
Wow, terrifying, this is why keeping crypto on a separate machine is so important.
My plan all along to have one laptop solely for crypto which I believe is a must do anyway.
Sheesh! sounds like Glassworm would have been one of those playful pieces of code I would have written myself in my youth on a boring winter day. LoL