WebAssembly Malware Found in Trojanized Open VSX Extensions

Description

Trojanized Visual Studio Code extensions distributed via the Open VSX marketplace deliver a sophisticated WebAssembly-based attack chain. The extensions ship ChaCha20-encrypted TinyGo-compiled WebAssembly modules that poll the Solana blockchain for command-and-control instructions embedded in transaction memos. This novel dead-drop technique allows attackers to rotate infrastructure without hardcoded servers. Once activated, the modules read attacker instructions from a monitored Solana wallet address, then execute platform-specific download-and-execute commands via Node.js child_process to deploy second-stage payloads. The campaign impersonates legitimate extensions on Open VSX, exploiting cross-registry trust gaps to target VSCodium, Cursor, Windsurf, and other VS Code forks. Attribution points to GlassWorm-associated tradecraft with medium confidence, representing a new WebAssembly-based variant of previously documented supply chain compromise techniques.