Over the past week, cybersecurity professionals have been gripped by the emergence of GlassWorm, a highly sophisticated, self-propagating malware campaign targeting VS Code extensions on the OpenVSX Marketplace.

The scale and technical complexity of this attack signal a turning point for supply chain security in developer ecosystems.

As of October 2025, over 35,800 installations have reportedly been compromised, with the number growing as active malicious extensions continue to operate in the wild.

The impact is felt not only through direct credential theft but also through deep infiltration of developer machines.

The initial signs of the campaign surfaced when Koi researchers identified unusual behavioral shifts in the seemingly benign “CodeJoy” extension after its 1.8.3 version update.

While the extension passed initial visual code reviews, Koi’s risk engine flagged it for anomalous network connections and credential access.

Undetectable on superficial inspection, the researchers quickly found that the underlying infection vector was both novel and alarming—the malicious code was encoded using invisible Unicode characters, allowing it to blend perfectly with legitimate source files.

The result: entire blocks of JavaScript payload remained unseen to the naked eye and undetectable by most static analysis tools.

Koi’s investigation soon revealed the magnitude of the threat. The worm harvests secrets from npm, GitHub, OpenVSX, and even targets 49 different cryptocurrency wallet extensions.

After siphoning credentials, it leverages them to hijack additional extensions, thereby achieving a self-propagating cycle.

Victims’ devices are then weaponized, serving as criminal proxy nodes or platforms for remote attacks, illustrating a truly distributed and resilient campaign strategy.

Koi analysts confirmed that the attackers architected an unkillable command-and-control (C2) infrastructure using the Solana blockchain.

Alongside blockchain payload distribution, fallback C2 mechanisms—Google Calendar events and direct IP endpoints—make takedown efforts almost futile.

Each communication contains encrypted instructions for further stages, enabling dynamic updates to the malware in near real-time.

This approach enables GlassWorm to adapt swiftly and persistently within compromised networks.

Invisible Unicode: The Infection Mechanism

A standout aspect of GlassWorm’s operation is its use of the Unicode “variation selector” exploit. By inserting non-rendering Unicode codepoints into JavaScript source files, the malware hides entire logic branches.

These characters are ignored by visual editors and code review platforms but are recognized and executed by the JavaScript interpreter.

For instance, a segment in the compromised CodeJoy file showed a vast empty space—actually filled with functional malicious code—successfully disguised.

// Line 2 appears empty but contains:
function stealCreds() {...}

This method fundamentally breaks assumptions of code transparency. Developers, even when manually inspecting diffs or reviewing GitHub commits, cannot see the injected logic.

Only byte-wise or deeply specialized tools can reveal the hidden payload, underscoring the criticality of updating code inspection and CI processes to detect non-standard Unicode—a mitigation priority for defenders.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New GlassWorm Using Invisible Code Hits Attacking VS Code Extensions on OpenVSX Marketplace appeared first on Cyber Security News.

A critical authorization bypass vulnerability has emerged in ZYXEL’s ATP and USG series network security appliances, allowing attackers to circumvent two-factor authentication protections and gain unauthorized access to sensitive system configurations.

Tracked as CVE-2025-9133, this security flaw affects devices running ZLD firmware version 5.40 and was publicly disclosed on October 21, 2025, following a coordinated vulnerability disclosure process.

The vulnerability exploits a weakness in the authentication verification phase, specifically targeting the zysh-cgi binary that handles communication with the ZLD system for configuration queries and modifications.

The flaw enables threat actors to inject malicious commands into authentication requests during the 2FA verification stage, effectively bypassing security controls that would normally restrict access to critical system files.

When users with two-factor authentication enabled log into affected devices, they are prompted to enter a verification code received via email or Google Authenticator.

However, during this intermediate authentication state, the vulnerability allows attackers to manipulate command strings sent to the device’s backend, granting them the ability to view and download complete system configurations containing credentials, encryption keys, and other sensitive security parameters.

Rainpwn analyst identified this vulnerability while conducting security research on ZYXEL network appliances in August 2025.

The researcher discovered that the authentication mechanism fails to properly validate command inputs during the 2FA verification phase, creating an exploitable window where semi-authenticated users can execute privileged operations.

This discovery came parallel to another critical vulnerability, CVE-2025-8078, highlighting systemic issues in ZYXEL’s authentication implementation.

Command Injection and Whitelist Bypass Mechanism

The vulnerability stems from a fundamental flaw in how the zysh-cgi endpoint processes and validates user commands.

ZYXEL implemented a whitelist-based security control that theoretically restricts semi-authenticated users to executing only specific, pre-approved commands such as “show version” or “show users current.”

However, the validation mechanism only performs prefix-based string matching without tokenizing or splitting concatenated commands.

This design weakness allows attackers to chain multiple commands using semicolon separators, effectively smuggling unauthorized commands alongside legitimate ones.

The exploitation technique involves crafting a specially formatted HTTP POST request to the /cgi-bin/zysh-cgi endpoint with a malicious command parameter.

A proof-of-concept exploit demonstrates this by sending:-

filter=js2&cmd=show%20version;show%20running-config&write=0

In this payload, “show version” matches the whitelist and passes initial validation checks. However, because the system does not parse or validate commands after the semicolon separator, the subsequent “show running-config” command executes with full privileges despite not being explicitly authorized.

The entire concatenated string is forwarded directly to the backend CLI parser, which interprets the semicolon as a command separator and executes both operations sequentially.

When the system processes this request, it returns the complete device configuration in JavaScript-formatted data arrays, exposing sensitive information including administrative credentials, VPN keys, firewall rules, and network topology details.

The vulnerability specifically affects users assigned to restricted profiles with a user type parameter value of 0x14, which represents the most constrained access level.

Binary analysis of the zysh-cgi executable reveals that the code uses strncmp() function calls to validate command prefixes but fails to implement proper command tokenization or recursive validation of chained operations.

The “filter=js2” parameter instructs the server to return data in JavaScript format rather than HTML, while “write=0” ensures the operation remains read-only, preventing accidental system modifications while still exposing configuration data.

This architectural flaw demonstrates how insufficient input validation combined with overly permissive command forwarding mechanisms can create critical security vulnerabilities even in systems with multi-factor authentication enabled.

ZYXEL released a firmware patch on October 20, 2025, and published their security advisory on October 21, 2025, urging all ATP and USG series users to immediately update their devices to remediate this critical vulnerability.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post ZYXEL Authorization Bypass Vulnerability Let Attackers View and Download System Configuration appeared first on Cyber Security News.