A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems.

The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times.

GlassWorm attacks first appeared in late October, hiding the malicious code using “invisible” Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying.

Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.

In a new report released today by Okta, researchers explain that the phishing kits are sold as part of an “as a service” model and are actively being used by multiple hacking groups to target identity providers, including Google, Microsoft, and Okta, and cryptocurrency platforms.

Unlike typical static phishing pages, these adversary-in-the-middle platforms are designed for live interaction via voice calls, allowing attackers to change content and display dialogs in real time as a call progresses.

A threat actor known as Zestix has been offering to sell corporate data stolen from dozens of companies likely after breaching their ShareFile, Nextcloud, and OwnCloud instances.

According to cybercrime intelligence company Hudson Rock, initial access may have been obtained through credentials collected by info-stealing malware such as RedLine, Lumma, and Vidar deployed on employee devices.

The three infostealers are usually distributed through malvertising campaigns or ClickFix attacks. This type of malware commonly targets data stored by web browsers (credentials, credit cards, personal info), messaging apps, and cryptocurrency wallets.