Researchers found two harmful VS Code extensions that appear as AI coding assistants but secretly send user data to servers in China. With over 1.5 million installs, they capture file content and modifications without user consent, while also incorporating analytics SDKs to track users.

Over 6,700 private repositories were made public due to a malicious supply chain attack involving Nx. The attackers used a post-install script to exfiltrate sensitive data, including API keys and tokens, by creating public repositories to store the stolen information. Security firm Wiz reported that more than 20,000 files were compromised, affecting numerous users.

An npm package called 'rand-user-agent' was compromised in a supply chain attack, leading to the injection of a remote access trojan (RAT) in unauthorized versions. Despite being deprecated, the package had a significant number of downloads, and users are advised to revert to the last legitimate version and conduct full system scans if they installed the malicious updates. The attack was traced back to an outdated automation token that allowed the unauthorized releases.

A supply-chain attack named GlassWorm is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces, leading to an estimated 35,800 installations of self-spreading malware. Utilizing invisible characters to hide its code, GlassWorm steals credentials and cryptocurrency wallet information, while employing the Solana blockchain for command-and-control, making it challenging to dismantle. Researchers have identified multiple infected extensions and warn of the malware's sophisticated nature, marking it as a significant threat to developer environments.