GlassWorm makes comeback on OpenVSX with three newly released VSCode extensions
GlassWorm, a self-propagating malware worm targeting developer environments, has resurfaced via three newly published extensions in the OpenVSX/VSCode marketplaces, which have already gained over 10,000 downloads.
The worm targets credentials for GitHub, NPM and crypto wallets, deploys hidden SOCKS proxies and turns infected developer endpoints into persistent relay nodes for further distribution and command and control.
This incident highlights the growing risk of supply chain exploitation via developer tooling and the potential for compromised developer machines to become staging grounds for enterprise breaches.
ClickFix malware expands to include multi-OS support and video tutorials
The ClickFix social-engineering campaign has significantly upgraded its attack vector: videos embedded in landing pages now guide victims through the infection process, countdown timers create urgency and OS-detection tailors commands to Windows, macOS and Linux.
Attackers are using SEO poisoning and malvertising to lure users to these pages, and the updated campaign uses scripts to automatically copy malicious commands to the clipboard, reducing user error and increasing infection rates.
With support across multiple operating systems and more convincing user interfaces, the campaign expands from typical Windows targets to cross-platform threat exposure in mixed-environment enterprises.
Gootloader malware returns with new techniques after a seven-month break
The Gootloader loader campaign, previously disrupted, has returned using SEO-poisoned legal-document templates and custom font glyph-swapping techniques to obfuscate malicious content and evade detection.
In the current wave, Gootloader delivers the "Supper" SOCKS5 backdoor which grants remote access and has already been linked to ransomware affiliates active in major breach campaigns.
The revival of Gootloader demonstrates how well-known loader campaigns can re-emerge with enhanced stealth and supply chain tactics despite prior takedowns.
Google sounds alarm on AI-assisted malicious software now circulating in real-world attacks
Google's Threat Intelligence Group reports that adversaries are now using generative AI and on-the-fly code generation in malware families, such as PromptLock and others, to enable dynamic behavior mutation and improved evasion.
These AI-powered malware strains target Windows, macOS and Linux and use machine learning for reconnaissance, payload delivery and stealth persistence. The discovery marks a fundamental shift in threat actor capabilities.
The emergence of AI-infused attacks means detection models and signature-based systems are increasingly inadequate, requiring more adaptive defense strategies.
1.5 million Swedish software supplier customers affected by major breach
Swedish IT systems supplier Miljödata, supporting roughly 80% of municipalities, suffered a cyberattack exposing personal data of around 1.5 million individuals, which roughly equates to one in five Swedes.
The exposed data includes full SQL table dumps with personal ID numbers, names and email addresses; while sensitive medical fields were present in some tables, they were not confirmed as stolen in the 224 MB leak.
The incident underscores the high-risk nature of centralized service providers in public sector supply chains and the downstream exposure when one vendor is compromised.
