WebAssembly Malware Found in Trojanized Open VSX Extensions
Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace contain sophisticated WebAssembly-based malware. These extensions include ChaCha20-encrypted TinyGo-compiled WebAssembly modules that use the Solana blockchain to receive command-and-control instructions embedded in transaction memos. This technique enables attackers to avoid hardcoded infrastructure by using a blockchain dead-drop for commands. The malware executes platform-specific download-and-execute commands via Node.js to deploy additional payloads. The campaign targets VS Code forks like VSCodium, Cursor, and Windsurf by impersonating legitimate extensions and exploiting cross-registry trust gaps. Attribution is linked with medium confidence to the GlassWorm threat actor group, representing a novel WebAssembly-based supply chain compromise variant.
AI Analysis
Technical Summary
This threat involves malicious Visual Studio Code extensions distributed through the Open VSX marketplace that carry WebAssembly malware encrypted with ChaCha20 and compiled with TinyGo. The malware polls the Solana blockchain for command-and-control instructions embedded in transaction memos, a novel dead-drop method that allows attackers to rotate infrastructure without relying on hardcoded servers. Upon activation, the malware reads instructions from a monitored Solana wallet and executes platform-specific commands via Node.js child_process to download and execute second-stage payloads. The campaign impersonates legitimate extensions targeting various VS Code forks, exploiting trust gaps between extension registries. The activity is attributed with medium confidence to the GlassWorm adversary group and represents a new variant of supply chain compromise using WebAssembly.
Potential Impact
The malware enables attackers to remotely control infected systems by retrieving commands from the Solana blockchain, allowing dynamic and resilient command-and-control infrastructure. This can lead to the deployment of additional malicious payloads on compromised systems. The use of trusted extension marketplaces and impersonation of legitimate extensions increases the risk of widespread infection among users of VS Code forks. The supply chain compromise vector undermines software integrity and user trust in extension ecosystems.
Mitigation Recommendations
No official patch or remediation is indicated in the provided data. Users should avoid installing extensions from untrusted or unofficial sources such as the Open VSX marketplace, especially those impersonating legitimate extensions. Monitoring for known indicators of compromise such as the listed IP addresses, hashes, and domains (e.g., dodod.lat) can help detect infections. Vendors and marketplace operators should review and strengthen extension vetting processes to prevent trojanized extensions. Patch status is not yet confirmed — check vendor advisories and marketplace updates for current remediation guidance.
Indicators of Compromise
- ip: 45.150.34.158
- hash: 4e143876eeaf5e767a9971f603b0f13c
- hash: b262b8d2ac2f0ab3c78251db44ecf3ac
- hash: f595fb7867beb76b4deab53fa328e0a2
- hash: 824e601b599b9ad97ee12f0b3a72efd20ba59d47
- hash: 8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4
- hash: c0ed7d575fe8085e942898c9a26f15992c895ba9
- hash: 1e283327ad048bea39f4a8501770858a20f3555e87fe3e202274f2e87f8a3c25
- hash: 3aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58
- hash: 558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f
- url: http://dodod.lat/darwin/i/_
- url: http://dodod.lat/linux/i/_
- url: http://dodod.lat/win32/i/_
- url: https://dodod.lat/
- url: https://dodod.lat/darwin/i/_
- url: https://dodod.lat/linux/i/_
- url: https://dodod.lat/win32/i/_
- domain: dodod.lat
WebAssembly Malware Found in Trojanized Open VSX Extensions
Description
Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace contain sophisticated WebAssembly-based malware. These extensions include ChaCha20-encrypted TinyGo-compiled WebAssembly modules that use the Solana blockchain to receive command-and-control instructions embedded in transaction memos. This technique enables attackers to avoid hardcoded infrastructure by using a blockchain dead-drop for commands. The malware executes platform-specific download-and-execute commands via Node.js to deploy additional payloads. The campaign targets VS Code forks like VSCodium, Cursor, and Windsurf by impersonating legitimate extensions and exploiting cross-registry trust gaps. Attribution is linked with medium confidence to the GlassWorm threat actor group, representing a novel WebAssembly-based supply chain compromise variant.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves malicious Visual Studio Code extensions distributed through the Open VSX marketplace that carry WebAssembly malware encrypted with ChaCha20 and compiled with TinyGo. The malware polls the Solana blockchain for command-and-control instructions embedded in transaction memos, a novel dead-drop method that allows attackers to rotate infrastructure without relying on hardcoded servers. Upon activation, the malware reads instructions from a monitored Solana wallet and executes platform-specific commands via Node.js child_process to download and execute second-stage payloads. The campaign impersonates legitimate extensions targeting various VS Code forks, exploiting trust gaps between extension registries. The activity is attributed with medium confidence to the GlassWorm adversary group and represents a new variant of supply chain compromise using WebAssembly.
Potential Impact
The malware enables attackers to remotely control infected systems by retrieving commands from the Solana blockchain, allowing dynamic and resilient command-and-control infrastructure. This can lead to the deployment of additional malicious payloads on compromised systems. The use of trusted extension marketplaces and impersonation of legitimate extensions increases the risk of widespread infection among users of VS Code forks. The supply chain compromise vector undermines software integrity and user trust in extension ecosystems.
Mitigation Recommendations
No official patch or remediation is indicated in the provided data. Users should avoid installing extensions from untrusted or unofficial sources such as the Open VSX marketplace, especially those impersonating legitimate extensions. Monitoring for known indicators of compromise such as the listed IP addresses, hashes, and domains (e.g., dodod.lat) can help detect infections. Vendors and marketplace operators should review and strengthen extension vetting processes to prevent trojanized extensions. Patch status is not yet confirmed — check vendor advisories and marketplace updates for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/glasswasm-malware-open-vsx-extensions"]
- Adversary
- GlassWorm
- Pulse Id
- 6a30d0b403db287f819b47e9
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip45.150.34.158 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4e143876eeaf5e767a9971f603b0f13c | — | |
hashb262b8d2ac2f0ab3c78251db44ecf3ac | — | |
hashf595fb7867beb76b4deab53fa328e0a2 | — | |
hash824e601b599b9ad97ee12f0b3a72efd20ba59d47 | — | |
hash8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4 | — | |
hashc0ed7d575fe8085e942898c9a26f15992c895ba9 | — | |
hash1e283327ad048bea39f4a8501770858a20f3555e87fe3e202274f2e87f8a3c25 | — | |
hash3aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58 | — | |
hash558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://dodod.lat/darwin/i/_ | — | |
urlhttp://dodod.lat/linux/i/_ | — | |
urlhttp://dodod.lat/win32/i/_ | — | |
urlhttps://dodod.lat/ | — | |
urlhttps://dodod.lat/darwin/i/_ | — | |
urlhttps://dodod.lat/linux/i/_ | — | |
urlhttps://dodod.lat/win32/i/_ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindodod.lat | — |
Threat ID: 6a3133cd0b89be68889d53ad
Added to database: 6/16/2026, 11:30:21 AM
Last enriched: 6/16/2026, 11:45:46 AM
Last updated: 6/16/2026, 12:40:15 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.