Search results for Open in VSCode | Breaking Cybersecurity News | The Hacker News

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue. GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities. The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories. The latest wave of the GlassWorm campaign, spotted by Secure Annex's Jo...

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important...

Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don't start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that's all it takes. Staying safe isn't just about reacting fast. It's about catching these early signs before they blow up into real problems. That's why this week's updates matter. From stealthy tactics to unexpected entry points, the stories ahead reveal how quickly risk can spread—and what smart teams are doing to stay ahead. Dive in. ⚡ Threat of the Week U.S. Disrupts N. Korea IT Worker Scheme — Prosecutors said they uncovered the North Korean IT staff working at over 100 U.S. companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data and plundering virtual currency more than $900,000 in one incident targeting an unnamed blockchain company in ...

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called  TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.  While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as  agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their a...

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program. The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users' computers with their privileges. "Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: 'folderOpen' auto-execute the moment a developer browses a project," Oasis Security said in an analysis. "A malicious .vscode/tasks.json turns a casual 'open folder' into silent code execution in the user's context." Cursor is an AI-powered fork of Visual Studio Code, which supports a feature called Workspace Trust to allow developers to safely browse and edit code regardless of where it came from or who wrote it. With this option disab...

Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry. The counterfeit versions, named @typescript_eslinter/eslint and types-node , are engineered to download a trojan and retrieve second-stage payloads, respectively. "While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy," Sonatype's Ax Sharma said in an analysis published Wednesday. "Furthermore, the high download counts for packages like "types-node" are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components." The npm listing for @typescript_eslinter/eslint, Sonatype's analysis revealed, points to a phony GitHub repo...

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates. Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing. Here's what mattered most in security this week. ⚡ Threat of the Week Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an a...

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android device into a target. Meanwhile, Microsoft pulled back the curtain on a scheme where cybercriminals used AI tools for harmful pranks, and a massive trove of live secrets was discovered, reminding us that even the tools we rely on can hide risky surprises. We've sifted through a storm of cyber threats—from phishing scams to malware attacks—and broken down what it means for you in clear, everyday language. Get ready to dive into the details, understand the risks, and learn how to protect yourself in an increasingly unpredictable online world. ⚡ Threat of the Week Serbian Youth Activist Targeted by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit chain developed by Cellebrite to unlock the device and likely deploy an Android spyware called NoviSpy. The flaws combined ...

Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025. What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism. Another novel aspect is that the GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors," Idan Dardikman said in a technical report. "The attacker used Unicode variation selectors – special characters that are...