SEVEN.LEGEND // V4
Users Online: 1
Total Hits: 8,819
WELCOME TO SEVEN'S DOMAIN
SECURE RESEARCH FACILITY
System initialization complete.
Accessing main mainframe...
Explore exploits, custom tools, and historical archives.
ACCESS LOGS
SYSTEM LOG // RECENT ACTIVITY
"Security is not a product, but a process."
Self-Spreading GlassWorm Worm Infects VS Code Extensions - Free Scanner Tool
Cybersecurity researchers discovered GlassWorm, a self-propagating worm spreading through Visual Studio Code extensions. This sophisticated supply chain attack has infected 14 extensions with 35,800+ downloads.
What Makes GlassWorm Dangerous?
- Uses invisible Unicode characters to hide malicious code from developers
- Leverages Solana blockchain for command-and-control (resilient to takedowns)
- Steals credentials (npm, GitHub, Git, Open VSX tokens)
- Drains 49 different types of cryptocurrency wallets
- Installs SOCKS proxy and hidden VNC for remote access
- Auto-updates through VS Code without user interaction
Infected Extensions (14):
- codejoy.codejoy-vscode-extension (1.8.3, 1.8.4)
- cline-ai-main.cline-ai-agent (3.1.3)
- CodeInKlingon.git-worktree-menu, SIRILMP.dark-theme-sm
- And 10 more extensions
How It Works:
Attackers compromise extension publisher accounts, inject malicious code using Unicode variation selectors (literally invisible in code editors), and use Solana blockchain transactions to store encrypted C2 commands. The malware then steals credentials and uses them to compromise MORE extensions, creating a self-propagating worm.
Free Scanner Tools:
I created detection tools in both Python (cross-platform) and PowerShell (Windows):
https://sevenlegend.io/?page=codes
The scanners detect:
✓ All 14 known infected extensions
✓ Invisible Unicode characters in code
✓ Blockchain C2 patterns
✓ Credential theft indicators
✓ System compromise (SOCKS proxy, VNC servers)
If You're Infected:
1. Run the scanner with --remove flag
2. Rotate ALL credentials (GitHub, npm, Git, API keys)
3. Check cryptocurrency wallets for unauthorized transactions
4. Scan for system-level compromise
5. Disable VS Code auto-updates temporarily
Source: Koi Security Research
https://www.koi.ai/blog/glassworm-first-self-propagating-...
What Makes GlassWorm Dangerous?
- Uses invisible Unicode characters to hide malicious code from developers
- Leverages Solana blockchain for command-and-control (resilient to takedowns)
- Steals credentials (npm, GitHub, Git, Open VSX tokens)
- Drains 49 different types of cryptocurrency wallets
- Installs SOCKS proxy and hidden VNC for remote access
- Auto-updates through VS Code without user interaction
Infected Extensions (14):
- codejoy.codejoy-vscode-extension (1.8.3, 1.8.4)
- cline-ai-main.cline-ai-agent (3.1.3)
- CodeInKlingon.git-worktree-menu, SIRILMP.dark-theme-sm
- And 10 more extensions
How It Works:
Attackers compromise extension publisher accounts, inject malicious code using Unicode variation selectors (literally invisible in code editors), and use Solana blockchain transactions to store encrypted C2 commands. The malware then steals credentials and uses them to compromise MORE extensions, creating a self-propagating worm.
Free Scanner Tools:
I created detection tools in both Python (cross-platform) and PowerShell (Windows):
https://sevenlegend.io/?page=codes
The scanners detect:
✓ All 14 known infected extensions
✓ Invisible Unicode characters in code
✓ Blockchain C2 patterns
✓ Credential theft indicators
✓ System compromise (SOCKS proxy, VNC servers)
If You're Infected:
1. Run the scanner with --remove flag
2. Rotate ALL credentials (GitHub, npm, Git, API keys)
3. Check cryptocurrency wallets for unauthorized transactions
4. Scan for system-level compromise
5. Disable VS Code auto-updates temporarily
Source: Koi Security Research
https://www.koi.ai/blog/glassworm-first-self-propagating-...
131 Malicious Chrome Extensions Hijacking WhatsApp Web - Scanner Tool Available
Security researchers discovered 131 Chrome extensions hijacking WhatsApp Web to send bulk spam messages, affecting over 20,000 users. These extensions inject malicious code into WhatsApp to bypass anti-spam filters and automate mass messaging.
Known Compromised Extensions:
- YouSeller (10,000 users)
- performancemais (239 users)
- Botflow, ZapVende, Organize-C
Most are published by "WL Extensão" or "WLExtensao". All 131 extensions share the same malicious codebase despite appearing different.
Check Your Browser:
I created a Python scanner to detect these extensions automatically:
https://sevenlegend.io/?page=codes">Code
If You're Affected:
1. Remove the extension immediately (chrome://extensions)
2. Log out all WhatsApp Web sessions
3. Review recent WhatsApp activity for unauthorized messages
Source: Socket.dev Research
Known Compromised Extensions:
- YouSeller (10,000 users)
- performancemais (239 users)
- Botflow, ZapVende, Organize-C
Most are published by "WL Extensão" or "WLExtensao". All 131 extensions share the same malicious codebase despite appearing different.
Check Your Browser:
I created a Python scanner to detect these extensions automatically:
https://sevenlegend.io/?page=codes">Code
If You're Affected:
1. Remove the extension immediately (chrome://extensions)
2. Log out all WhatsApp Web sessions
3. Review recent WhatsApp activity for unauthorized messages
Source: Socket.dev Research