Threats Tagged 'cryptocurrency targeting'

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.

A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.