Overview
- On January 30, malicious updates were pushed to four established oorzc extensions with more than 22,000 prior downloads: ssh-tools, i18n-tools-plus, mind-map, and scss-to-css-compile.
- Open VSX’s security team reported unauthorized publishing access consistent with leaked tokens, revoked credentials, and removed the tainted releases, with ssh-tools delisted entirely and current versions reported clean.
- The payload deploys a Node.js implant that activates only on macOS after environment checks, skips Russian locales, persists via a LaunchAgent, and stages data for exfiltration.
- Targeted data includes npm _authToken, GitHub artifacts, AWS and SSH credentials, browser cookies and logins, iCloud Keychain, Safari cookies, Apple Notes, FortiClient VPN files, local documents, and multiple cryptocurrency wallets.
- Command-and-control is resolved via Solana transaction memos and EtherHiding techniques, marking an escalation from earlier typosquatting to publisher compromise and complicating detection for affected developers.