GlassWorm Targets Developer IDEs Again, Hiding Staged Malware Behind Runtime-Rebuilt Loaders

Checkmarx Zero describes a GlassWorm campaign distributing malicious VS Code/Open VSX extensions (13 packages, ~50k downloads) that use obfuscated loaders and Solana memos for staged payload delivery. The malware harvests developer credentials (npm, GitHub), targets cryptocurrency wallets, establishes persistence and remote access (HVNC, SOCKS, DHT/socket communications), performs regional (Russian) evasion, and provides extensive IoCs (RPC endpoints, wallet addresses, IPs, file and registry artifacts) for detection and remediation.