Incident-Response

Apple shipped coordinated security updates on November 3, 2025 for iOS/iPadOS 26.1, macOS Tahoe 26.1, watchOS 26.1, tvOS 26.1, visionOS 26.1, Safari 26.1, and Xcode 26.1. The Internet Storm Center counted 110 vulnerabilities across the set, with no CVEs marked as exploited in the wild by Apple at publication time. (support.apple.com)

Intrusion Flow

This is a likely attacker flow derived from Apple’s release notes and ISC’s summary; use it to guide triage and hypothesis testing.

On November 2, 2025, Open VSX said it rotated leaked access tokens after attackers abused exposed secrets to publish malicious VS Code-compatible extensions in a supply-chain incident tied to the “GlassWorm” campaign. The Eclipse Foundation removed the malicious packages, and reported the incident contained by October 21 with additional controls coming (shorter token lifetimes, faster revocation workflows, and automated scans) source source.

Intrusion Flow

• Initial access to publishers: Researchers cataloged over 550 validated secrets inside VS Code and Open VSX extensions, including more than 100 VS Code Marketplace PATs and 30+ Open VSX tokens-enough to let an attacker push trojanized updates to projects with an install base around 150k in aggregate source source.
• Weaponization and publish: Some leaked Open VSX tokens were subsequently abused to publish malicious extensions associated with the GlassWorm campaign source.
• Payload concealment: Koi Security reported the use of invisible Unicode characters to hide JavaScript payloads (Unicode steganography) in extension code, hindering human review; claims included credential theft and targeting of crypto-wallet data in dozens of extensions source source. The Eclipse Foundation clarified GlassWorm did steal developer credentials but was not self-replicating as a worm on endpoints source.
• Distribution surface: Open VSX is the Eclipse-run registry for VS Code-compatible extensions and is widely used by VS Code forks that can’t use Microsoft’s Marketplace (for example Cursor and Windsurf), increasing reach beyond Microsoft’s VS Code desktop source source.
• Amplification factors: VS Code auto-updates extensions by default; a compromised publisher token can silently fan out malicious updates to enrolled developer machines source source.

Key Artifacts to Pull

• Extension inventory and binaries
  • Enumerate installed extensions and lock versions:
    • code --list-extensions --show-versions (official CLI) source source.
  • File system paths for extensions:
    • Windows: %USERPROFILE%\.vscode\extensions
    • macOS/Linux: ~/.vscode/extensions source source.
  • Collect extension directories, their package.json, and any .vsix packages found on disk (portable mode keeps all data under the app data folder) source.
• VS Code state and logs
  • Global state DB: %APPDATA%\Code\User\globalStorage\state.vscdb (or ~/.config/Code/User/globalStorage/state.vscdb) contains extension enable/disable state; also check workspace workspaceStorage/*/state.vscdb source.
  • Export extension logs via Developer: Open Extension Logs Folder (also exposed by GitHub Codespaces docs) source.
• Indicators specific to GlassWorm
  • Review Koi’s rolling IoCs for compromised extension IDs/versions and infrastructure (IPs, Solana wallet, Google Calendar dead-drops) to guide triage source.

Detection Notes

• Hunt for invisible Unicode control/steganography markers in extensions and project code
  • Background: Unicode bidi controls and zero-width/variation selectors can render code differently than it executes (the “Trojan Source” class of issues) source source.
  • Practical scans (target extension folders and recent repos):
    • Detect bidi controls (U+061C; U+200E-U+200F; U+202A-U+202E; U+2066-U+2069) with PCRE2/Perl one-liners as documented by the community:
      • Git/PCRE form: git grep -IP '(*UTF)[\x{061C}\x{200E}\x{200F}\x{202A}-\x{202E}\x{2066}-\x{2069}]' source.
      • Perl form: perl -CSD -ne 'print "$ARGV: $_" if /\p{Bidi_Control}/' $(fd -t f) source.
    • Detect zero-width and variation selectors often used for invisibility/steganography (e.g., U+200B-U+200D; U+FE00-U+FE0F):
      • ripgrep example: rg -nUP "[\x{200B}-\x{200D}\x{FE00}-\x{FE0F}]" ~/.vscode/extensions
      • FE0F (Variation Selector-16) is an invisible, non-spacing selector source source.
  • Focus on files executed on activation (e.g., extension.js, out/*.js, dist/*.js) and package.json activation events.
• Look for outbound C2 patterns noted in public write-ups (Solana transaction lookups, Google Calendar shortlinks) and the specific HTTP hosts and paths in Koi’s IoCs source.
• Prioritize forks using Open VSX (e.g., Cursor and Windsurf) since their marketplaces are independent of Microsoft’s and were in GlassWorm’s blast radius; Cursor publicly documented its transition to Open VSX source source.

Response Guidance

• Containment on developer endpoints
  • Freeze extension churn: set "extensions.autoUpdate": false temporarily while you investigate source.
  • Snapshot and remove: export code --list-extensions --show-versions, then uninstall suspicious or listed IoC extensions; optionally pin safe versions via --install-extension publisher.ext@version source.
  • Inspect and neutralize Unicode-hidden payloads: if scans hit invisible characters in executable code, treat the extension as compromised; preserve copies, then disable/uninstall.
• Credential hygiene
  • Rotate developer credentials targeted by reports (GitHub PATs, npm tokens, Open VSX access tokens) and invalidate saved tokens on endpoints. Open VSX documents token management and revocation in its publishing guide; tokens remain valid until deleted-revoke any that could be exposed in CI or builds source source.
• Enterprise marketplace governance
  • Prefer allow-lists of publishers and pre-approved extensions for Open VSX-backed IDEs (Cursor/Windsurf). Where possible, pre-stage vetted .vsix and install via CLI to reduce live marketplace risk source.
  • Monitor Open VSX and vendor advisories; Eclipse’s post-incident measures include shorter token lifetimes, faster revocations, and automated publication-time scans-incorporate those changes into your risk model source.
• Scope verification
  • Cross-check endpoints for Koi’s listed persistence keys (Windows Run) and network IoCs when applicable, acknowledging Eclipse’s clarification that the malware did credential theft but was not autonomously self-replicating on hosts source source.

Takeaways

• Inventory and lock VS Code-compatible extensions now; disable auto-updates during triage and remove any listed by IoCs source source.
• Hunt for Unicode control characters in extension code and recent repos; treat any invisible-character hits in executable files as suspicious until proven benign source source.
• Rotate exposed tokens across Open VSX, GitHub, and npm; re-issue per-environment tokens and revoke unused ones source.
• Track Open VSX advisories and Koi/Aikido updates; BleepingComputer confirms Eclipse removed the packages, rotated tokens, and is tightening controls, while Aikido reports the threat activity pivoting to GitHub with the same Unicode technique source source.

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)

CISA confirmed active exploitation of two more DELMIA Apriso vulnerabilities and added them to the Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Federal agencies have three weeks under BOD 22-01; the remediation due date cited is November 18, 2025. (BleepingComputer). (bleepingcomputer.com)

DELMIA Apriso is a manufacturing operations/MES platform commonly deployed on Windows with IIS and a backend database. Vendor advisories state both CVEs affect releases 2020 through 2025, with the missing authorization bug enabling privileged access and the code injection bug enabling arbitrary code execution under specific conditions. (Dassault Systèmes CVE-2025-6205, CVE-2025-6204; NVD 6205, NVD 6204). (3ds.com)

SANS ISC documented a phishing message whose Subject was split into multiple RFC 2047 “encoded-words,” with soft hyphen characters (U+00AD) inserted between letters to break keyword matches. Outlook renders these as normal-looking text, so users never see the obfuscation, but filters that don’t normalize Unicode or decode RFC 2047 first can miss it (SANS ISC). Soft hyphen is a format character that’s typically invisible except at line breaks (Unicode UAX #14; see “Use of Soft Hyphen”), and Microsoft has previously called out invisible Unicode (including U+00AD and U+2060) as a phish-evasion tactic in both bodies and subject lines (Microsoft Threat Intelligence, 2021).

Techno Security & Digital Forensics Conference West 2025 kicks off in San Diego on October 27-29 at the Town & Country Resort, with a strong emphasis on Generative/Agentic AI discovery and legal impacts (event announcement, program highlights). Legal-oriented sessions are explicitly tackling discovery for GenAI and agentic AI, including JAMS’ panel “Artificial Intelligence and Generative AI: Causes of Action and Defenses and Discovery” scheduled for Monday, October 27 at 3:15 p.m. (JAMS session page). Regional partners also underline the AI-heavy tracks (Cybersecurity, eDiscovery, Forensics, Investigations) running October 27-29 (CCOE event listing).

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU-accelerated brute-force add-on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross-app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role-based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).

Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on-premises Active Directory, Microsoft Entra ID, and even third-party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025-10-23.

Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign-ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.

Forensic Focus’ Oct 22, 2025 roundup spotlights Microsoft’s new Digital Defense Report (MDDR) and a wave of DFIR-relevant updates. Microsoft reports that more than half of attacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents targeting data theft for financial gain. Microsoft also processes ~100 trillion security signals daily, blocks ~4.5M new malware attempts, and analyzes 38M identity risk detections. Critically, over 97% of identity attacks are password attacks-and phishing-resistant MFA can block >99% of them. (Forensic Focus roundup; Microsoft On the Issues article; MDDR 2025 overview). (forensicfocus.com)

ESET documented a late-March through mid-2025 surge of Operation DreamJob activity attributed to North Korea-aligned Lazarus, targeting multiple European defense companies - including firms that build UAV components and UAV software - to steal proprietary designs and manufacturing know-how. Initial access relied on classic “dream job” lures and trojanized readers/loaders; later stages delivered ScoringMathTea, a Lazarus RAT with ~40 commands. ESET links the focus on UAV know-how to North Korea’s push to scale its domestic drone program. (ESET WeLiveSecurity). (welivesecurity.com)