GlassWASM: Trojanized Open VSX Extensions Used TinyGo WebAssembly and Solana Memo C2

Confirmed
Discovered Jun 20, 2026

Socket says two trojanized Open VSX extensions delivered a TinyGo-compiled WebAssembly loader that read Solana memo data to resolve `dodod[.]lat`, then built OS-specific download-and-execute commands for developer endpoints.

2
Affected Packages
24
Observables
3
Sources

Timeline

1 of 1 rows

Timeline
DateEventDescriptionSource
Jun 20, 2026Fresh source reviewReviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data.Direct source

Affected Software

2 of 2 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
exargd/vsblackopen-vsx0.0.1Malicious90%Direct source
noellee-doc/flint-debugopen-vsx0.1.1Malicious90%Direct source

IOC Clipboard

20 IOCs
domainapi.mainnet.solana.com
domaindodod.lat
urlhttps://api.mainnet.solana.com
urlhttps://dodod.lat/darwin/i/_
urlhttps://dodod.lat/linux/i/_
urlhttps://dodod.lat/win32/i/_
urlhttps://open-vsx.org/extension/exargd/vsblack
urlhttps://open-vsx.org/extension/noellee-doc/flint-debug
hash558b4f1d9a263c13756ab0126c09dd080c85ba405b29488e1c4e6aa68b554f1f
hash8ebac142e34a20c297d3ccaca7ee5d9ddd24fed4
hash4e143876eeaf5e767a9971f603b0f13c
hash3aa31999398e7f80231c03d7137ffdb554a84b83dbcffc59ce16c9a65f9e5d58
hashc0ed7d575fe8085e942898c9a26f15992c895ba9
hashb262b8d2ac2f0ab3c78251db44ecf3ac
file_pathorybbbdsuqmaapel.wasm
file_pathsnqpkebiwrxmoivl.wasm
file_pathnoellee-doc.flint-debug-0.1.1.vsix
file_pathexargd.vsblack-0.0.1.vsix
commandgetSignaturesForAddress
commandgetTransaction

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
Direct sourcedirect95%1https://open-vsx.org/extension/exargd/vsblack
Direct sourcedirect95%1https://open-vsx.org/extension/noellee-doc/flint-debug
Primary researchprimary research95%1https://socket.dev/blog/glasswasm-malware-open-vsx-extensions