Threats Tagged 'supply chain'

A sophisticated supply chain attack uses typosquatting on the popular postcss-selector-parser npm package to distribute a multi-stage Windows Remote Access Trojan (RAT). Malicious packages masquerade as PostCSS utilities and deploy encoded JavaScript that drops PowerShell scripts. These scripts download a bundled Python runtime with Nuitka-compiled modules, culminating in a RAT with capabilities such as encrypted HTTP C2 communication, persistence, VM detection, remote shell, file transfer, and Chrome credential theft via DPAPI. This attack highlights risks in build tooling dependencies as malware delivery vectors targeting developer environments.

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.