GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace

Yeah, my eyes almost rolled out of my head reading their hilariously dumb description.

Let me say that again: the malware is invisible. Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye.

No, it's definitely obfuscated!

To a developer doing code review, it looks like blank lines or whitespace. To static analysis tools scanning for suspicious code, it looks like nothing at all. But to the JavaScript interpreter? It's executable code.

No, it looks like a string that contains whitespace. Which makes no sense and is a big red flag. Plus the function used to decode the whitespace would also be included in the diff where any human reviewer would get suspicious. It's a somewhat clever attack, but framing it as completely unprecedented is silly. Jia Tan was far more sophisticated than this.

The section about the Solana blockchain I was less clear on because I just don't know that domain at all.

Legitimate traffic: Connections to Solana RPC nodes look completely normal. Security tools won't flag it.‍

Once you've been made aware that this Solana blockchain is being used to distribute malware, is there a way to block it at the network level? The post implies that it can't be blocked because Solana could be used for something legitimate, but that's obviously bullshit. It's peer-to-peer once you've established the connection, but surely it has to bootstrap off something, right?

Ironically the first time I came across this link I closed the tab pretty quickly after seeing the slop header image. Then I came back to it after it was referenced elsewhere in a description that was light on details, but now I'm starting to think my initial reaction was the correct one.