@trailofbits/vsix-audit 0.1.0

package/zoo/iocs/blockchain-extensions.txt

@@ -0,0 +1,21 @@
+# Known legitimate blockchain development extensions
+# These extensions legitimately reference wallet addresses and contract addresses
+# Format: publisher.name (one per line)
+
+# Solidity development
+AckeeBlockchain.tools-for-solidity
+JuanBlanco.solidity
+NomicFoundation.hardhat-solidity
+tintinweb.solidity-visual-auditor
+tintinweb.vscode-solidity-language
+tintinweb.vscode-solidity-flattener
+tintinweb.graphviz-interactive-preview
+tintinweb.vscode-ethover
+tintinweb.vscode-vyper
+
+# Security audit tools
+trailofbits.vscode-weaudit
+
+# Web3 development
+AureliaEffect.aelf-contract-build
+AureliaEffect.aelf-contract-deploy

package/zoo/iocs/c2-domains.txt

@@ -0,0 +1,50 @@
+# VS Code Extension Malware C2 Domains
+# Format: domain[.]tld  # Campaign - Notes
+# All domains defanged with [.] for safety
+#
+# Submit new domains via PR or issue
+
+# FAMOUS CHOLLIMA / Contagious Interview (Vercel hosted)
+vscodesettings03rgg[.]vercel[.]app  # FAMOUS CHOLLIMA - C2
+mylocationapi03[.]vercel[.]app  # FAMOUS CHOLLIMA - C2
+ip-check-wh-notification[.]vercel[.]app  # FAMOUS CHOLLIMA - C2
+chainlink-api-v3[.]com  # FAMOUS CHOLLIMA - BeaverTail payload delivery (via HTTP error responses)
+
+# HardHatRAT Campaign
+api[.]npoint[.]io  # HardHatRAT - JSON payload hosting (legitimate service abused)
+freeipapi[.]com  # HardHatRAT - Victim IP lookup (legitimate service abused)
+
+# TigerJack Campaign
+ab498[.]pythonanywhere[.]com  # TigerJack - Data exfiltration
+api[.]codex[.]jaagrav[.]in  # TigerJack - C2
+
+# SnowShoNo Campaign
+niggboo[.]com  # SnowShoNo - PowerShell payload download
+
+# Evelyn Stealer Campaign
+syn1112223334445556667778889990[.]org  # Evelyn - HTTP C2 server
+server09[.]mentality[.]cloud  # Evelyn - FTP exfiltration server
+
+# GlassWorm Campaign - Blockchain C2
+# Solana RPC endpoints used for C2 (legitimate service abused)
+# Attacker wallet: 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2
+calendar[.]app[.]google/M2ZCvM8ULL56PD1d6  # GlassWorm - Google Calendar backup C2
+
+# GlassWorm C2 IPs (defanged)
+217[.]69[.]3[.]218  # GlassWorm - Primary C2
+217[.]69[.]11[.]60  # GlassWorm - Payload download (from stage2.dec.js)
+199[.]247[.]10[.]166  # GlassWorm - Secondary C2
+140[.]82[.]52[.]31  # GlassWorm - Exfiltration endpoint
+199[.]247[.]13[.]106  # GlassWorm - Exfiltration endpoint
+65[.]20[.]99[.]82  # GlassWorm - Data exfiltration /wall endpoint (from stage2.dec.js)
+
+# Discord Webhook Exfiltration (legitimate service abused)
+discord[.]com/api/webhooks  # Multiple campaigns - Data exfiltration via webhooks
+
+# Generic suspicious patterns to monitor
+# (Any extension connecting to these types of services warrants investigation)
+# - *.vercel.app with suspicious names
+# - *.pythonanywhere.com
+# - *.npoint.io
+# - *.replit.co
+# - discord.com/api/webhooks (common exfil method)

package/zoo/iocs/c2-ips.txt

@@ -0,0 +1,24 @@
+# VS Code Extension Malware C2 IP Addresses
+# Format: IP:PORT  # Campaign - Hosting Provider - Notes
+#
+# Submit new IPs via PR or issue
+
+# GlassWorm Campaign
+217.69.11.60  # GlassWorm - Primary C2
+45.32.151.157  # GlassWorm - Wave 4 macOS C2
+45.32.150.251  # GlassWorm - Wave 4 macOS C2
+
+# FAMOUS CHOLLIMA / Contagious Interview (Eurohoster)
+103.65.230.50  # FAMOUS CHOLLIMA - Eurohoster
+103.65.230.100  # FAMOUS CHOLLIMA - Eurohoster
+148.227.170.199  # FAMOUS CHOLLIMA - Eurohoster
+138.226.220.187  # FAMOUS CHOLLIMA - Eurohoster
+146.70.253.107:1224  # FAMOUS CHOLLIMA - InvisibleFerret Python stager download
+146.70.253.107:2242  # FAMOUS CHOLLIMA - InvisibleFerret RAT C2
+172.86.116.178:5918  # FAMOUS CHOLLIMA - BeaverTail socket.io exfiltration
+172.86.116.178:5978  # FAMOUS CHOLLIMA - BeaverTail socket.io exfiltration
+
+# HardHatRAT Campaign (Hetzner)
+95.216.37.186:5000  # HardHatRAT - Hetzner - Socket.IO WebSocket C2
+95.216.37.186:3011  # HardHatRAT - Hetzner - HTTP data exfiltration
+95.216.37.186:3000  # HardHatRAT - Hetzner - Admin panel

package/zoo/iocs/hashes.txt

@@ -0,0 +1,47 @@
+# VS Code Extension Malware Hashes
+# Format: SHA256  # Campaign - Description
+#
+# Submit new hashes via PR or issue
+
+# GlassWorm Campaign (Nov 2025)
+6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2  # GlassWorm - os.node Windows DLL (Rust implant)
+fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda  # GlassWorm - darwin.node macOS Dylib (Rust implant)
+9212a99a7730b9ee306e804af358955c3104e5afce23f7d5a207374482ab2f8f  # GlassWorm - extension.js loader
+c32379e4567a926aa0d35d8123718e2ebeb15544a83a5b1da0269db5829d5ece  # GlassWorm - Decrypted C2 payload
+
+# HardHatRAT Campaign (Jan 2026) - npm delivery
+8e8823d8c2a44512bb8abdaeeb5dd5d187950fd07bf008f89f8005103834a98d  # HardHatRAT - tailwindcss-forms-kit-1.0.6.tgz
+e96c208c0503b8556c4c245cf693576cf142174b6f7a9e7066768876bc041697  # HardHatRAT - index.js loader
+e7071063f8cc743023889f71d070b60d3932079b2fdd75290d68c3188ac6b303  # HardHatRAT - encoded payload
+da6e9835f90b417c6c8f532287eabb78701dd746388f0c3bfe1fc6be0221d6ec  # HardHatRAT - decoded payload
+1c8c1a693209c310e9089eb2d5713dc00e8d19f335bde34c68f6e30bccfbe781  # HardHatRAT - secondary payload (PyInstaller)
+e39c91f0a14d6aa7788249bb80091160bab39b64cb9b5e2b311cf7493fd9ab0b  # HardHatRAT - Python keylogger
+
+# FAMOUS CHOLLIMA / Contagious Interview (Dec 2025)
+72602e4f621b642b823ff25a2326dc6a2edc772572a4ccafd5993b42c081cd79  # FAMOUS CHOLLIMA - Malicious ZIP archive
+a2b35d436db39682e7a5ec13e4d8b940e8e743864aad8eb9088290061e25dd59  # FAMOUS CHOLLIMA - tasks.json
+d52d99d0aa00c0b2df9044b31dde81ec9ef5dce6389b1d61ead6fffd6a1bff3b  # FAMOUS CHOLLIMA - settings.json
+3a3b1d5fa23d9eb98b0f53ef9b8db56d759e8c34c85edbb8fc38e1e8b2eb30fb  # FAMOUS CHOLLIMA - dl.py stager
+
+# Related samples (VTI pivoting)
+825ebf26a7df821478282c5d1cff868da9fcbe51934113d4b0444acc5fd94077  # HardHatRAT - related sample
+bf2bed6b6ab8df8c6c076572024fd5a6ebeb571ecef30dfbc5dbbf9d9e87aad2  # HardHatRAT - related sample
+5671cd2f328ed4276385a9e6d3bcc33328efaa45197e1d5717d0b0027caf00ac  # HardHatRAT - NvidiaDriverUpdate related
+f2db7770a017f37ff4c17c409de72161e84f1aea784a9a4d523070d799754bc6  # HardHatRAT - NvidiaDriverUpdate related
+
+# Evelyn Stealer Campaign (Dec 2025)
+369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598  # Evelyn - Lightshot.dll first-stage downloader
+92af258d13494f208ccf76f53a36f288060543f02ed438531e0675b85da00430  # Evelyn - iknowyou.model second-stage injector
+aba7133f975a0788dd2728b4bbb1d7d948e50571a033a1e8f47a2691e98600c5  # Evelyn - EvelynStealer.exe final payload
+74e43a0175179a0a04361faaaaf05eb1e6b84adca69e4f446ef82c0a5d1923d5  # Evelyn - abe_decrypt.dll browser injection
+
+# MalwareBazaar samples - GlassWorm extended
+bb68992f6aa2d3f316322e88d9e71491a38e95fd3a27f48084c66b9c210bd17d  # GlassWorm - react-native-vscode.1.13.1.vsix (full malicious extension)
+68e5fb92a7d7d182306a025010c77ae2cd89c39031cced13f9686a9f34671041  # GlassWorm - f_ex86.node.decoded (Rust DLL, pre-decryption)
+a9a6a03bd6958710aeacc2a23860a7f7f0d09497fef85fe658ac5406734061f8  # GlassWorm - priskinski.theme-allhallowseve-remake-1.0.0.vsix (ReversingLabs Dec2025)
+
+# Zoo samples (GitHub sources)
+2cdaee2863396e558f17503ad290163d513acbc3c2ca2dbfa6852c2e064ca9f1  # SnowShoNo - PowerShell downloader (obfuscated)
+6674b3505ac23b2354230d691b9e18c2dda74a66f76bb0df724286cb9b23581c  # ECM3401 - Extension Attack Suite .vsix
+837174f9426d244d5a6f153f147812cea84ad22acec79c6be48e6c7a2eb8b2ed  # ECM3401 - Malicious API Extension .vsix
+15afd43b543760a9a7849140ebf3425658d92aeaca596634fcfd385fae724046  # ECM3401 - Example API Extension .vsix

package/zoo/iocs/malicious-npm.txt

@@ -0,0 +1,85 @@
+# Known Malicious npm Packages
+# Format: package-name  # Campaign - Notes
+# Submit new packages via PR or issue
+
+# FAMOUS CHOLLIMA (North Korea - Contagious Interview Campaign)
+# These packages target developers via fake job interviews
+tailwindcss-forms-kit          # FAMOUS CHOLLIMA - typosquat tailwindcss-forms
+tailwindcss-kit                # FAMOUS CHOLLIMA - typosquat
+postcss-transform-classes      # FAMOUS CHOLLIMA - typosquat postcss-modules
+sass-extract                   # FAMOUS CHOLLIMA - bundled malware
+@nicol-dev/my-vite-package     # FAMOUS CHOLLIMA - malicious vite plugin
+
+# Historical Supply Chain Attacks
+event-stream                   # 2018 - flatmap-stream backdoor targeting Copay wallet
+ua-parser-js                   # 2021 - cryptominer injection
+coa                            # 2021 - compromised maintainer
+rc                             # 2021 - compromised maintainer
+colors                         # 2022 - sabotage by maintainer
+faker                          # 2022 - sabotage by maintainer
+node-ipc                       # 2022 - protestware with data corruption
+
+# Typosquatting Attacks
+crossenv                       # Typosquat of cross-env
+cross-env.js                   # Typosquat of cross-env
+d3.js                          # Typosquat of d3
+fabric.js                      # Typosquat of fabric
+ffmepg                         # Typosquat of ffmpeg
+gruntcli                       # Typosquat of grunt-cli
+http-proxy.js                  # Typosquat of http-proxy
+jquery.js                      # Typosquat of jquery
+mariadb                        # Typosquat of mariasql
+mongose                        # Typosquat of mongoose
+mssql.js                       # Typosquat of mssql
+mssql-node                     # Typosquat of mssql
+mysqljs                        # Typosquat of mysql
+node-fabric                    # Typosquat of fabric
+node-opencv                    # Typosquat of opencv
+node-opensl                    # Typosquat of openssl
+node-openssl                   # Typosquat of openssl
+node-sqlite                    # Typosquat of sqlite3
+node-tkinter                   # Typosquat of tkinter
+nodecaffe                      # Typosquat of caffe
+nodefabric                     # Typosquat of fabric
+nodeffmpeg                     # Typosquat of ffmpeg
+nodemailer-js                  # Typosquat of nodemailer
+nodemssql                      # Typosquat of mssql
+noderequest                    # Typosquat of request
+nodesass                       # Typosquat of node-sass
+nodesqlite                     # Typosquat of sqlite3
+opencv.js                      # Typosquat of opencv
+openssl.js                     # Typosquat of openssl
+proxy.js                       # Typosquat of http-proxy
+shadowsock                     # Typosquat of shadowsocks
+smb                            # Typosquat of samba
+sqlite.js                      # Typosquat of sqlite3
+sqliter                        # Typosquat of sqlite3
+sqlserver                      # Typosquat of mssql
+tkinter                        # Typosquat of python tkinter wrapper
+lodahs                         # Typosquat of lodash
+lodashs                        # Typosquat of lodash
+loadsh                         # Typosquat of lodash
+lodaash                        # Typosquat of lodash
+
+# Socket.dev Tracked Malware
+express-cookie                 # 2024 - credential harvester
+express-session-parser         # 2024 - credential harvester
+node-hide-console-windows      # 2024 - spyware
+axios-retry-enhanced           # 2024 - data exfiltration
+react-native-scrollpageviewtest # 2024 - crypto stealer
+lottie-rn                      # 2024 - data exfiltration
+
+# VS Code Extension Related
+vscode-darcula                 # Discord token stealer (npm dependency used by malicious extension)
+@nicol-dev/vscode-theme        # FAMOUS CHOLLIMA - malicious VS Code theme dependency
+
+# Electron/Desktop App Targeting
+electron-chromedriver-test     # 2023 - reverse shell
+electron-native-notify-test    # 2023 - data exfiltration
+
+# AI/LLM Tool Typosquats (emerging trend 2025)
+openai-api                     # Typosquat of openai
+chatgpt-api                    # Typosquat - not official
+gpt-3-encoder                  # Typosquat
+langchain-core                 # Typosquat - not official
+anthropic-api                  # Typosquat - not official

package/zoo/iocs/wallets.txt

@@ -0,0 +1,18 @@
+# VS Code Extension Malware Cryptocurrency Wallets
+# Format: CURRENCY ADDRESS  # Campaign - Notes
+#
+# These wallets are used by attackers for:
+# - C2 communication (blockchain-based C2)
+# - Receiving stolen funds
+# - Cryptominer payouts
+#
+# Submit new wallets via PR or issue
+
+# GlassWorm Campaign - Solana Blockchain C2
+SOL BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC  # GlassWorm - Primary C2 wallet (transaction memos contain commands)
+
+# Add wallet addresses here as they are discovered
+# Format examples:
+# BTC 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa  # Campaign - Description
+# ETH 0x742d35Cc6634C0532925a3b844Bc9e7595f8fE42  # Campaign - Description
+# SOL ADDRESS  # Campaign - Description

package/zoo/signatures/yara/README.md

@@ -0,0 +1,46 @@
+# YARA Rules for VS Code Extension Malware
+
+Detection signatures for scanning extensions.
+
+## External Rules
+
+We recommend using the Knostic GlassWorm YARA rules:
+
+```bash
+git clone https://github.com/knostic/open-tools.git
+cp open-tools/glassworm_yara/*.yar zoo/signatures/yara/
+```
+
+### Knostic Rule Files
+
+| File                          | Rules | Purpose                                              |
+| ----------------------------- | ----- | ---------------------------------------------------- |
+| `unicode_stealth.yar`         | 2     | Invisible Unicode characters, zero-width obfuscation |
+| `blockchain_c2.yar`           | 3     | Solana RPC C2, memo field parsing                    |
+| `credential_harvesting.yar`   | 5     | NPM/GitHub/OpenVSX/SSH credential theft              |
+| `google_calendar_c2.yar`      | 4     | Calendar API abuse for C2                            |
+| `crypto_wallet_targeting.yar` | 4     | Wallet extension targeting, seed extraction          |
+| `rat_capabilities.yar`        | 5     | SOCKS proxy, VNC, remote execution                   |
+| `self_propagation.yar`        | 5     | Automated publishing, worm propagation               |
+
+Source: https://github.com/knostic/open-tools/tree/main/glassworm_yara
+
+## Custom Rules
+
+Add custom YARA rules to this directory. Follow naming convention:
+
+```
+{campaign}_{detection_type}.yar
+```
+
+Example: `tigerjack_keylogger.yar`
+
+## Usage
+
+```bash
+# Scan with YARA
+yara -r zoo/signatures/yara/ path/to/extension/
+
+# With vsix-audit (planned)
+vsix-audit scan extension.vsix --yara zoo/signatures/yara/
+```

package/zoo/signatures/yara/blockchain_c2.yar

@@ -0,0 +1,48 @@
+/*
+    GlassWorm Blockchain C2 Detection
+    Detects Solana blockchain-based command and control infrastructure
+
+    IMPORTANT: These rules require SPECIFIC GlassWorm patterns, not just
+    Solana SDK usage. Many legitimate extensions use Solana.
+*/
+
+rule C2_JS_GlassWorm_Solana_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style Solana blockchain C2 using transaction memos to receive and execute commands"
+    severity    = "critical"
+    score       = "90"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Must use Solana SDK
+    $solana_import = "@solana/web3.js" ascii wide
+
+    // Must parse transaction memos (the C2 channel)
+    $memo_parse1 = "instructionData" ascii wide
+    $memo_parse2 = "transaction.memo" ascii wide
+    $memo_parse3 = "memoData" ascii wide
+
+    // Must decode hidden payload from memo
+    $decode1 = "atob" ascii wide
+    $decode2 = /Buffer\.from\([^,]+,\s*["']base64["']\)/ ascii wide
+
+    // Must fetch the decoded URL
+    $fetch = /fetch\s*\(/ ascii wide
+
+    // Code execution from fetched payload
+    $exec1 = "eval(" ascii wide
+    $exec2 = "new Function(" ascii wide
+
+  condition:
+    $solana_import and any of ($memo_parse*) and
+    any of ($decode*) and $fetch and any of ($exec*)
+}
+
+// REMOVED: GlassWorm_Blockchain_Memo_Parsing
+// Too broad - legitimate Solana apps parse memos.
+
+// REMOVED: GlassWorm_Dynamic_C2_Resolution
+// Way too broad - matched "history" + "setInterval" + "fetch"
+// which is virtually all web apps with periodic updates.

package/zoo/signatures/yara/code_execution.yar

@@ -0,0 +1,165 @@
+/*
+    Dynamic Code Execution Detection
+    Detects patterns for executing code from strings/encoded content
+*/
+
+rule SUSP_JS_Eval_Base64_Jan25 {
+  meta:
+    description = "Detects eval() used with base64 decoding to execute hidden or obfuscated code"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $eval = "eval(" ascii wide
+
+    // Base64 decode patterns
+    $decode1 = "atob(" ascii wide
+    $decode2 = /Buffer\.from\([^,]+,\s*["']base64["']\)/ ascii wide
+    $decode3 = "base64" ascii wide
+
+  condition:
+    $eval and any of ($decode*)
+}
+
+rule SUSP_JS_Function_Constructor_Jan25 {
+  meta:
+    description = "Detects new Function() constructor that creates executable code from strings, equivalent to eval"
+    severity    = "high"
+    score       = 75
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $func1 = /new\s+Function\s*\(\s*["'`]/ ascii wide
+    $func2 = /new\s+Function\s*\(\s*[a-zA-Z_]/ ascii wide
+
+  condition:
+    any of them
+}
+
+rule SUSP_JS_Eval_Charcode_Jan25 {
+  meta:
+    description = "Detects eval() combined with String.fromCharCode or hex escapes to hide malicious code"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $eval = "eval(" ascii wide
+
+    // String construction
+    $build1 = "String.fromCharCode" ascii wide
+    $build2 = "charCodeAt" ascii wide
+    $build3 = /\\x[0-9a-fA-F]{2}/ ascii wide
+
+  condition:
+    $eval and any of ($build*)
+}
+
+rule SUSP_JS_Indirect_Eval_Jan25 {
+  meta:
+    description = "Detects indirect eval access through global object like globalThis['eval'] to evade detection"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $indirect1  = "globalThis.eval" ascii wide
+    $indirect2  = "globalThis['eval']" ascii wide
+    $indirect3  = "global.eval" ascii wide
+    $indirect4  = "global['eval']" ascii wide
+    $indirect5  = "window.eval" ascii wide
+    $indirect6  = "window['eval']" ascii wide
+    $indirect7  = "this.eval" ascii wide
+    $indirect8  = "self.eval" ascii wide
+    $indirect9  = "(0,eval)" ascii wide
+    $indirect10 = "(1,eval)" ascii wide
+
+  condition:
+    any of them
+}
+
+rule SUSP_JS_Child_Process_Variable_Jan25 {
+  meta:
+    description = "Detects child_process execution with variable command input instead of static string literal"
+    severity    = "medium"
+    score       = 60
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $cp1 = "child_process" ascii wide
+    $cp2 = "require('child_process')" ascii wide
+    $cp3 = "require(\"child_process\")" ascii wide
+
+    // Execution with template literal or variable
+    $exec1 = /\.exec\s*\(\s*`/ ascii wide
+    $exec2 = /\.execSync\s*\(\s*`/ ascii wide
+    $exec3 = /\.spawn\s*\(\s*[a-zA-Z_]/ ascii wide
+    $exec4 = /\.exec\s*\(\s*[a-zA-Z_]/ ascii wide
+
+  condition:
+    any of ($cp*) and any of ($exec*)
+}
+
+rule SUSP_JS_Process_Binding_Jan25 {
+  meta:
+    description = "Detects access to Node.js internal process bindings that can bypass security restrictions"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $binding1 = "process.binding(" ascii wide
+    $binding2 = "process._linkedBinding(" ascii wide
+    $binding3 = "process.dlopen(" ascii wide
+
+  condition:
+    any of them
+}
+
+rule SUSP_JS_VM_Module_Jan25 {
+  meta:
+    description = "Detects Node.js vm module usage for code execution in sandboxes that can potentially be escaped"
+    severity    = "medium"
+    score       = 55
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $vm1 = "require('vm')" ascii wide
+    $vm2 = "require(\"vm\")" ascii wide
+    $vm3 = "vm.runInThisContext" ascii wide
+    $vm4 = "vm.runInNewContext" ascii wide
+    $vm5 = "vm.Script" ascii wide
+
+  condition:
+    any of them
+}
+
+rule SUSP_JS_WebAssembly_Remote_Jan25 {
+  meta:
+    description = "Detects WebAssembly instantiation with remote or base64 source that could execute arbitrary code"
+    severity    = "low"
+    score       = 40
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $wasm1 = "WebAssembly.instantiate" ascii wide
+    $wasm2 = "WebAssembly.compile" ascii wide
+    $wasm3 = "WebAssembly.Instance" ascii wide
+
+    // From network or encoded source
+    $source1 = "fetch(" ascii wide
+    $source2 = "atob(" ascii wide
+    $source3 = "base64" ascii wide
+
+  condition:
+    any of ($wasm*) and any of ($source*)
+}

package/zoo/signatures/yara/credential_harvesting.yar

@@ -0,0 +1,116 @@
+/*
+    GlassWorm Credential Harvesting Detection
+    Detects patterns for harvesting NPM, GitHub, OpenVSX, Git, and SSH credentials
+
+    IMPORTANT: These rules are tuned to avoid false positives on legitimate code.
+    Legitimate SSH tools, Git integrations, and package managers will use these
+    APIs. We require MULTIPLE strong indicators to fire.
+*/
+
+rule MAL_JS_GlassWorm_NPM_Token_Theft_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style NPM token theft that reads .npmrc file and exfiltrates credentials"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Must specifically target .npmrc file
+    $npmrc_path = /\.npmrc/ ascii wide
+    $homedir    = "os.homedir" ascii wide
+
+    // Must read the file
+    $read = "readFile" ascii wide
+
+    // Must do something suspicious with the token
+    $exfil1 = /fetch\s*\(\s*["'][^"']*["']\s*,\s*\{[^}]*body/ ascii wide
+    $exfil2 = "axios.post" ascii wide
+    $exfil3 = "discord.com/api/webhooks" ascii wide
+    $exfil4 = "discordapp.com/api/webhooks" ascii wide
+
+  condition:
+    $npmrc_path and $homedir and $read and any of ($exfil*)
+}
+
+rule MAL_JS_GlassWorm_SSH_Key_Theft_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style SSH private key theft that reads id_rsa/ed25519 and exfiltrates"
+    severity    = "critical"
+    score       = "90"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Must target SSH private key paths specifically
+    $ssh_key1 = "id_rsa" ascii wide
+    $ssh_key2 = "id_ed25519" ascii wide
+    $ssh_key3 = "id_ecdsa" ascii wide
+
+    // Must access home directory
+    $homedir = "os.homedir" ascii wide
+
+    // Must read the file
+    $read1 = "readFileSync" ascii wide
+    $read2 = "readFile" ascii wide
+
+    // Must have network exfiltration
+    $exfil1 = /fetch\s*\(\s*["'][^"']*["']\s*,\s*\{[^}]*body/ ascii wide
+    $exfil2 = "axios.post" ascii wide
+    $exfil3 = "discord.com/api/webhooks" ascii wide
+    $exfil4 = "https.request" ascii wide
+
+    // Encoding before exfil
+    $encode1 = "base64" ascii wide
+    $encode2 = "btoa" ascii wide
+
+  condition:
+    any of ($ssh_key*) and $homedir and any of ($read*) and
+    any of ($exfil*) and any of ($encode*)
+}
+
+rule MAL_JS_GlassWorm_Browser_Credential_Theft_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style browser credential theft targeting Chrome/Firefox Login Data files"
+    severity    = "critical"
+    score       = "95"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Browser credential paths - very specific
+    $chrome_login  = "Chrome/User Data/Default/Login Data" ascii wide nocase
+    $firefox_login = "Firefox/Profiles" ascii wide nocase
+    $edge_login    = "Edge/User Data/Default/Login Data" ascii wide nocase
+    $brave_login   = "BraveSoftware" ascii wide nocase
+
+    // Must copy or read these files
+    $copy1 = "copyFileSync" ascii wide
+    $copy2 = "createReadStream" ascii wide
+    $read  = "readFileSync" ascii wide
+
+    // Network exfil
+    $exfil1 = /fetch\s*\(/ ascii wide
+    $exfil2 = /axios\s*\./ ascii wide
+    $exfil3 = /request\s*\(/ ascii wide
+
+  condition:
+    any of ($chrome_login, $firefox_login, $edge_login, $brave_login) and
+    any of ($copy*, $read) and any of ($exfil*)
+}
+
+// REMOVED: GlassWorm_Credential_Exfiltration
+// This rule was too broad - it matched any code with POST + JSON.stringify + "token"
+// which is virtually all web applications.
+
+// REMOVED: GlassWorm_SSH_Credential_Harvesting
+// Too broad - matched any SSH tooling. Replaced with GlassWorm_SSH_Key_Theft above.
+
+// REMOVED: GlassWorm_GitHub_Credential_Harvesting
+// Too broad for GitHub integrations.
+
+// REMOVED: GlassWorm_OpenVSX_Credential_Harvesting
+// Extensions that publish need these patterns legitimately.