Olivia
Online
Yeeth Security
@YeethSecurity
AI enhanced malware detection and threat intelligence for the developer supply chain
Joined February 2022
16 Following
33 Followers
302 Posts
Β Pinned Tweet
π 300M monthly downloads and growing!
Weβre proud to have developed a pipeline for the @EclipseFdn to harden the security infrastructure of the Open VSX Registry. Great to see this milestone and the new AWS investment featured in @TheNewStack!
Check out the full story: https://t.co/ZANcKqyKhT
@tuckner Guess what this one does π
Caught a live one in the VS Code Marketplace! Stay tuned for more - https://t.co/lSB06AjbNR
HTTP/2 Bomb: Codex chained two decade-old HTTP/2 tricks (HPACK index bomb + zero-window stall) into CVE-2026-49975
https://t.co/nGjOwsz9f1
We can confirm as of 18:30 UTC today the Open VSX extensions published by Red Hat have not been affected as a part of this campaign so far
π¨ UPDATE: Red Hat has now published RHSB-2026-006 confirming the supply chain compromise affecting multiple npm packages under the redhat-cloud-services namespace.
Quick drop: codexui-android (27k weekly DLs) reads ~/.codex/auth.json and exfils your OpenAI refresh token to sentry.anyclaw[.]store/startlog
Payload's only in the npm tarball, never the GitHub repo
Refresh tokens don't expire = forever Codex access:
https://t.co/EQKmTVoaM7
Everyone's watching npm.
NuGet just shipped Sicoob.Sdk (2.0.0β2.0.4): a fake C# SDK for a Brazilian bank that reads your .pfx and exfils the cert + password through a Sentry endpoint, disguised as app telemetry.
Clean source repo, trojaned binary...https://t.co/3csRz2oBiv
π₯ Huge milestone for the team today: We pissed off a threat actor so badly they cloned our co-founder's name on Open VSX and tried to gaslight our LLM with prompt injection π
Imagine putting this much effort into a dropper that's dead on arrival
Enjoy these hilarious screenshots of their desperation π
π¨ LIVE NOW π¨
A Deeper Look at GLASSWORM's Solana Variant
Check out our triage and reversing of an ongoing campaign targeting Open VSX and, by extension, your IDE
https://t.co/zTYxQCSuJp
These extensions contain artifacts from GLASSWORM - one we analyzed contains a compiled executable with antiβVM behavior and extracts an embedded payload to execute in memory.
A report with our deep analysis will be published soon. Links for awareness:
- https://t.co/LCoGF5xQ6l
- https://t.co/ZS0ynuoYeh
- https://t.co/EYVb6Xtyau
These extensions contain artifacts from GLASSWORM - one we analyzed contains a compiled executable with antiβVM behavior and extracts an embedded payload to execute in memory.
A report with our deep analysis will be published soon. Links for awareness:
- https://t.co/LCoGF5xQ6l
- https://t.co/ZS0ynuoYeh
- https://t.co/EYVb6Xtyau
β οΈ Avoid this malicious package on Open VSX - We are currently working on having it taken down
A couple more to be weary of, analyzed and reported
β οΈ Avoid this malicious package on Open VSX - We are currently working on having it taken down
VS Code marketplace rarely tags an extension straight as Malware
Most takedowns get βImpersonationβ
Today we got Sm1lerrpasy.ton-func-syntax-highlighter. TON FunC = Telegram-chain smart contract devs = wallets w/ TON keys.
https://t.co/zB2myGh3Qx
The absolute weaponized brainrot in the beg bounty scene right now.
Some genius uploaded an Antigravity IDE "0day sandbox escape" to Open VSX...that bypasses a sandbox to grant you the exact local privileges the extension already had.
Brilliant execution, you broke into a house you were already sitting inside π
New GitHub account: dfghjhjke
Yeeth Security is tracking another campaign of GLASSWORM adjacent extensions targeting Open VSX π
The campaign polls Solana mainnet for a memo transaction on the threat actors wallet and decrypts the memo for the next-stage C2 domain to fetch and execute a binary
Windows and Linux machines are targeted, but notably the Linux payload is missing
The Windows payload sets a registry run key masquerading as a windows defender backup artifact that installs a self updating RAT
Solana address: 6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz
GitHub accounts:
- JohnMillDoe
- Aljsnedfjn
- Kbaefkjbd
- kdjrgndjsdf
HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\DefenderBackup
I've updated the meme
Last Seen Users on Sotwe
publicslut
Seen from Turkey
Eva Maxim
capcut18
Seen from Vietnam
Cwek Telanjang
Seen from Indonesia
Alaattin ARSLAN πΉπ·
ΩΨ§Ψ²Ψ§ΩΩΨ© π²π¦π
Seen from Algeria
Δα»©c Anh Cu Toππ
Seen from Vietnam
johnson bait
Seen from United Kingdom
Desi Kuri
Seen from India
TEMBEM
Seen from Thailand
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers