10/15/2025-10/22/2025 Self-Spreading ‘GlassWorm’, CISA Flags Critical Lanscope Bug, LinkPro Rootkit Attacking GNU/Linux Systems And More.

1. Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack

Cybersecurity researchers uncovered GlassWorm, a self-propagating worm hidden in VS Code extensions on the Open VSX Registry and the Microsoft Marketplace that targets developers. The campaign — the second major DevOps supply-chain worm since Shai-Hulud in mid-September 2025 — uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback, and hides malicious code using invisible Unicode variation selectors. GlassWorm steals npm, Open VSX, GitHub and Git credentials, drains funds from 49 crypto wallet extensions, deploys SOCKS proxies, installs hidden VNC servers, and weaponizes stolen credentials to compromise more packages. Fourteen extensions (13 on Open VSX, 1 on Microsoft) were infected, ~35,800 downloads, first wave on October 17, 2025; the hijack method is unknown. The malicious payload retrieves Base64 C2 instructions from Solana memos and Google Calendar events, then drops a JavaScript module (Zombi) that completes the takeover. Because VS Code extensions auto-update, attackers can push changes silently — researchers warn it’s a worm built to spread across the developer ecosystem.

2. CISA Flags Critical Lanscope Bug

CISA has issued an alert for a critical flaw (CVE-2025-61932) in Motex Lanscope Endpoint Manager, urging all federal agencies to patch or mitigate affected systems by November 12, 2025. Motex confirmed reports of malicious packets exploiting the vulnerability through Japan’s JVN portal.

The flaw, rated 9.3 on the CVSS v4 scale, affects on-premises Lanscope Client and Detection Agent components. It stems from improper source verification in communication channels, allowing remote attackers to execute arbitrary code via crafted packets—potentially leading to data theft, ransomware, or full network compromise.

Motex has released patches in versions 9.3.2.7–9.4.7.3; earlier builds remain vulnerable. CISA recommends upgrading immediately, restricting Lanscope network access, enabling continuous monitoring, and enforcing least privilege and MFA. Exploitation risks highlight the need for layered defenses, timely patching, and strong endpoint security to prevent large-scale enterprise compromise.

3. LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities

LinkPro is a sophisticated eBPF-based rootkit for GNU/Linux discovered during forensics on a compromised AWS environment. The intrusion began via an internet-exposed Jenkins server (CVE-2024-23897) and a malicious Docker image (kvlnt/vv) deployed across EKS clusters, enabling container escape and credential theft. Written in Go, LinkPro runs in two modes: a passive reverse mode that activates after a TCP “magic” packet and an active forward mode for direct C2. Its stealth uses two eBPF modules—Hide (intercepts getdents, sys_bpf, tracepoints and hides files/processes/eBPF programs) and Knock (XDP/TC programs that detect a TCP SYN with window 54321, store source IPs, and rewrite headers to tunnel traffic to port 2233); it falls back to /etc/ld.so.preload if needed. Persistence is achieved by masquerading as system-resolved via a fake systemd unit and planting a timestamped binary. LinkPro provides shell access, file ops, SOCKS5, and multi-protocol tunneling (HTTP/WebSocket/TCP/UDP/DNS) with XOR obfuscation. Monitor unusual systemd units and eBPF activity.

4. ExecutionPolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign

Cybersecurity researchers have detailed PolarEdge, a botnet malware first identified by Sekoia in February 2025. Targeting routers from vendors like Cisco and Synology, its purpose remains unknown. Attackers have exploited a known Cisco flaw (CVE-2023-20118) to install the malware.

PolarEdge is a TLS-based backdoor. Its primary function is to send a host fingerprint to its command-and-control (C2) server and then listen for commands over a built-in TLS server. It supports two modes: a connect-back mode to download files and a debug mode to alter its configuration on-the-fly. However, its default mode is to act as a TLS server, parsing incoming requests with a custom protocol. If a specific “HasCommand” parameter is set, it executes the received command and returns the output.

The malware uses anti-analysis techniques, including process masquerading, and employs a mechanism to automatically relaunch itself if the main process ends. Although it does not ensure persistence across reboots, a child process checks every 30 seconds and restarts the backdoor if needed.

5. TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code

Researchers uncovered CVE-2025-62518, a high-severity flaw (CVSS 8.1) in the async-tar Rust library and its forks, including tokio-tar, that can enable remote code execution (RCE) via file overwriting. Dubbed TARmageddon by Edera, the issue affects popular projects like testcontainers and wasmCloud. The bug stems from inconsistent handling of PAX and USTAR headers when parsing TAR files—if a PAX header specifies a valid size but the USTAR header lists zero, the parser misinterprets embedded data as new TAR entries. Attackers can exploit this to smuggle nested archives and overwrite critical files such as configuration or build scripts. Tokio-tar, last updated in July 2023, is considered abandonware; users should migrate to astral-tokio-tar v0.5.6, which fixes the issue. The flaw highlights that even memory-safe languages like Rust remain vulnerable to logic errors that can lead to severe security risks if left unpatched.

6. Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets

CISA added five flaws to its Known Exploited Vulnerabilities catalog, confirming that CVE-2025-61884—an SSRF in Oracle Configurator’s Runtime component—has been weaponized. Rated 7.5, the bug is remotely exploitable without authentication and could expose critical data. It’s the second actively exploited Oracle E-Business Suite defect alongside CVE-2025-61882 (9.8), which enables unauthenticated RCE; Google GTI and Mandiant reported dozens of affected organizations, and some activity may tie to Cl0p extortion operations.

CISA also listed four other issues: CVE-2025-33073 (Windows SMB Client privilege escalation, CVSS 8.8 — fixed June 2025), CVE-2025-2746 and CVE-2025-2747 (Kentico Xperience authentication bypasses, both 9.8 — fixed March 2025), and CVE-2022-48503 (Apple JavaScriptCore array-index validation, 8.8 — fixed July 2022). Exploitation details for those four remain sparse.

Federal Civilian Executive Branch agencies must remediate these KEV entries by November 10, 2025 to mitigate active threats.