GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions
WebAssembly malware found in trojanized VS Code extensions on Open VSX marketplace.
Summary
Researchers discovered WebAssembly malware, dubbed GlassWASM, embedded in trojanized VS Code extensions distributed via the Open VSX marketplace. The malware uses Solana blockchain transactions as a takedown-resistant C2 channel and executes cross-platform download-and-execute commands. The campaign is attributed with medium confidence to the GlassWorm developer due to overlapping tradecraft.
Full text
Research/Security NewsMini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI WheelsNewer packages in this compromise use native extensions and .pth loaders to execute JavaScript stealers in developer environments.By Kirill Boychenko - Jun 08, 2026
Indicators of Compromise
- url — https://api.mainnet.solana.com
- domain — dodod.lat
- url — https://dodod.lat/darwin/i/_
- url — https://dodod.lat/linux/i/_
- url — https://dodod.lat/win32/i/_
- malware — GlassWASM
- hash_sha256 — 558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f
- hash_sha1 — 8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4
- hash_md5 — 4e143876eeaf5e767a9971f603b0f13c