Overview
- Researchers say the malware hides logic with invisible Unicode characters and targets GitHub, npm, and OpenVSX credentials as well as 49 cryptocurrency wallet extensions.
- Stolen accounts and the default extension auto-update mechanism allow the worm to spread without user interaction.
- Command and control relies on resilient channels, including Solana blockchain transactions with embedded payload links, a Google Calendar fallback, and BitTorrent’s DHT.
- The final ZOMBI payload deploys SOCKS proxies and hidden VNC components, converting infected workstations into nodes for criminal activity.
- At least eleven OpenVSX extensions and one on Microsoft’s marketplace were flagged; Microsoft removed the VS Code listing, some OpenVSX entries remained available, and maintainers began shipping clean updates as researchers urged immediate scanning and remediation using tools such as vscan.dev.