Summary6 min read

Risky Bulletin: Clever Worm Hits the VS Code Scene

Podcast: Risky Bulletin
Host: risky.biz
Date: October 21, 2025
Episode Theme:
The episode features fast-paced updates on significant recent cybersecurity incidents worldwide, with the headline focus on a new worm targeting Visual Studio Code (VS Code) users. Highlights include breaches affecting major tech and telecom companies, policy shifts in Russia, data leaks, ransomware and SIM swapping incidents, and new merit badges for the Boy Scouts in AI and cybersecurity.

Main Theme

A sophisticated new malware campaign, dubbed "Glass Worm," is actively targeting developers by spreading through VS Code extensions. The episode uncovers its mechanisms, intent, and potential impact, while also running down a wide array of notable breaches, attacks, and developments in the cybersecurity landscape.

Episode Highlights & Key Discussion Points

1. Malicious VS Code Worm Targets Developers

[00:19] The episode’s top story details a worm infecting VS Code users via extensions on both official and open VSX marketplaces.
- Purpose: The "Glass Worm" is primarily designed to steal funds and supports credential theft from 49 cryptocurrency wallet apps.
- Credential Harvesting: It also collects credentials for GitHub, NPM, and OpenVSX.
- Propagation: Uses stolen credentials to inject itself into other extensions and libraries—elevating the supply chain risk.
- Communication: Employs the blockchain for command and control (C2), with Google Calendar as a backup.
- Evasion: Uses unprintable Unicode characters to make analysis harder.
- Quote (Claire Airdrop, [00:22]):
  "The Glass Worm malware spreads using VS Code extensions... Its primary aim is to steal funds. It supports 49 different cryptocurrency wallet apps."

2. F5 Networks: Breach Timeline Unfolds

[01:09] New details reveal that F5’s breach started in 2023, not 2024 as previously believed.
- Attackers exploited vulnerabilities in F5’s own products.
- After the breach, F5 discontinued support for its Big IP Next product.
- Quote ([01:17]):
  "The breach was discovered in August this year, but Bloomberg says the US tech company was initially compromised in 2023."

3. Korea Telecom CEO Resigns After Security Incident

[01:32] Korea Telecom’s CEO, Kim Yongsub, announces resignation.
- Hackers stole circa $170,000 via the company’s micropayments platform.
- The breach involved fake mobile towers used to steal customer info.
- Quote ([01:43]):
  "Kim Yongsub told reporters he intends to take responsibility for the breach, which will include stepping down."

4. Surveillance Vendor Developer Targeted with Spyware

[01:58] Former Trenchant (American surveillance vendor) developer Jay Gibson was hit with iOS mercenary spyware.
- Received a warning from Apple regarding the targeted attack.
- Gibson claims his dismissal was tied to a data leak he says he wasn’t responsible for.

5. Russia Considers Mandating Online Age Verification

[02:22] The Russian government is mulling compulsory online age verification via official ID for certain website access.
- Scope: Includes sites with adult content, violence, profanity, propaganda, or antisocial content.

6. Ongoing Data Leaks Target US Government and Israeli Scientists

[02:46] Hackers continue to leak sensitive data related to top US government staff and Israeli military scientists.
- New data dump includes staff from: NSA, Air Force, DIA, CDC, and more.
- Hacking group Handala (with suspected ties to Iranian intelligence) doxxed Israeli officials and military scientists.
- Quote ([03:13]):
  "The Handala hacking group accused the individuals of helping to build Israel's armed forces."

7. Japanese Supplier Ascool Hit with Ransomware

[03:26] Ascool (Japanese office supply company) halts online orders after ransomware attack, affecting multiple small retailers.

8. Australian Telco Dodo Suffers SIM Swapping Attacks

[03:43] Hackers accessed 1,600 customer email accounts via Dodo, triggering at least 34 SIM swap attacks.
- Dodo responded by shutting down its email system.

9. $3.44 Million Stolen from Typus Finance (Defi Platform)

[03:58] Hackers exploited a smart contract, draining millions in crypto.
- Typus Finance filed a police report within two hours.

10. Smishing Campaign Leads to UK Prison Sentence

[04:14] Kong Ji Chen sentenced to 24 weeks for using an SMS blaster to spam London Underground commuters.
- Caught with the device concealed in a large green suitcase.
- Quote ([04:20]):
  "Chen initially claimed he did not know what was in the suitcase... He later pleaded guilty."

11. Belarus: Cybercrime Service Operator Arrested

[04:28] Belarusian police detain a 25-year-old running a platform that registered/traded bank accounts for laundering.
- 1,700+ users, dozens more arrested in the operation.

12. Meta Suspends 8 Million Scam Accounts

[04:46] Meta disables millions of scam-linked Facebook and Instagram accounts connected to Asian scam compounds, a fourfold increase from last year.
- Quote ([04:51]):
  "The company has linked the accounts to scam compounds in Myanmar, Laos, Cambodia, the UAE and the Philippines."

13. Malicious Chrome Extensions Target WhatsApp Web

[04:57] 131 extensions (21,000 installs) inject spam scripts into WhatsApp Web—primarily affecting Brazilian users.
- Reported to Google but not yet removed.

14. Vulnerability in Better Auth Allows Key Abuse

[05:09] A flaw in the Better Auth auth framework’s plugin let attackers mint privileged API keys via a single unauthenticated POST request.
- Exploitability is high; affects systems relying on API key-based authentication.

15. Mercu Router Users Remain Vulnerable

[05:20] Canadian router vendor Mercu has not patched multiple vulnerabilities disclosed a year ago.
- Flaws can enable password resets and remote code execution.
- Researchers also found the company’s support portal was compromised in 2024 but received no response.

16. Boy Scouts Launch AI and Cybersecurity Merit Badges

[05:36] Scouting America introduces badges to encourage cyber hygiene.
- Requirements: Spotting phishing, setting passwords, using firewalls, and passing new training courses.
- Quote ([05:41]):
  "Boy Scouts can receive the cybersecurity badge by learning how to spot malware and phishing emails, setting strong passwords and using firewalls."

Notable Quotes

“The Glass Worm malware spreads using VS Code extensions... Its primary aim is to steal funds.”
— Claire Airdrop, [00:22]
“Kim Yongsub told reporters he intends to take responsibility for the breach, which will include stepping down.”
— [01:43]
“The Handala hacking group accused the individuals of helping to build Israel's armed forces.”
— [03:13]
“Boy Scouts can receive the cybersecurity badge by learning how to spot malware and phishing emails, setting strong passwords and using firewalls.”
— [05:41]

Timestamps of Important Segments

[00:19] VS Code worm campaign uncovered
[01:09] F5 breach timeline revealed
[01:32] Korea Telecom CEO’s resignation
[01:58] Developer targeted by mercenary spyware
[02:22] Russian online age checks proposed
[02:46] US and Israeli official data leaks
[03:26] Ascool ransomware disruption
[03:43] Dodo SIM swapping attacks
[03:58] Typus Finance DeFi platform hack
[04:14] UK commuter SMS spammer jailed
[04:28] Belarus arrests for cybercrime accounts
[04:46] Meta disables scam accounts
[04:57] Malicious WhatsApp Chrome extensions
[05:09] Better Auth plugin vulnerability
[05:20] Mercu routers’ ongoing exposure
[05:36] Boy Scouts’ new merit badges

Tone & Style

Brisk, headline-driven, and factual, with vivid concise storytelling from Claire Airdrop.
Attribution focuses on organizations and openly-named news sources; individual speakers mostly provide reporting.

Summary for Non-Listeners

This episode distills the week’s most critical cybersecurity news, headlined by a new worm propagating through developer tools, posing major risks to code supply chains and cryptocurrency assets. Major breaches (F5, Korea Telecom, Dodo), government policy plans (Russia, Meta), and creative cybercrime (from malware to SMS blasting) round out a comprehensive global security snapshot. The show also highlights positive moves—new youth-focused cybersecurity education through the Boy Scouts’ merit badge program.

Loading summary

Transcript1 lines

[00:04]
A
A worm hits vs code users F5 was breached via its own devices back in 2023. Career Telecom's CEO says he'll resign following a recent security breach, and the Boy Scouts will award cybersecurity merit badges. This is the Risky bulletin prepared by Catalyn Kim Panu and read by me, Claire airdrop. Today is the 22nd of October and this podcast episode is brought to you by Dropzone. In today's top story, a visual studio codeworm is targeting the developer community. The Glass Worm malware spreads using VS Code extensions distributed in the official and open VSX marketplaces. The malware's primary aim is to steal Funds. It supports 49 different cryptocurrency wallet apps. It also collects GitHub, NPM and OpenVSX credentials to inject itself into other extensions and libraries. Coy Security says the worm uses the blockchain for command and control and has Google Calendar as a backup. It also uses unprintable Unicode characters to complicate analysis. In other news, a recently reported breach at F5 began earlier than initially thought. The breach was discovered in August this year, but Bloomberg says the US tech company was initially compromised in 2023. The hackers exploited a vulnerability in the company's own products. Shortly after the intrusion was discovered, the company ended support for its big IP Next product. The CEO of Korea Telecom says he will resign following an investigation into a recent security breach. Hackers stole almost $170,000 from customer accounts via the company's micropayments platform. The thefts have been traced to fake mobile towers installed that harvested customer information. Kim Yongsub told reporters he intends to take responsibility for the breach, which will include stepping down. A former developer for an American surveillance vendor was targeted with iOS spyware. Jay Gibson developed iOS exploits for trenchant after he left the company. He says Apple warned him he was a victim of an attack with mercenary Spyware. He told TechCrunch he was fired after being unfairly blamed for a leak of sensitive documents from the company's Chrome exploits team. The Russian government is considering the introduction of online age verification checks. Russian Internet users may soon be required to show government ID to access certain websites. The age checks will be enforced on websites with adult content, violence, profanity, propaganda or antisocial behaviour. Hackers have leaked further data about US government officials, including staff from the nsa. The group's initial leak at the weekend included data from the Department of Homeland Security and the Department of Justice. The additional data covers staff from the US Air Force Defence Intelligence Agency, the Federal Trade Commission, Federal Aviation Administration Centres for Disease Control and Prevention and the Bureau of Alcohol, Tobacco, Firearms and Explosives. The personal details of 17 Israeli senior military scientists have been leaked. The Handala hacking group accused the individuals of helping to build Israel's armed forces. A week earlier, handala also doxxed 15 Israeli officials it accused of war crimes. Previous reporting has linked the group to Iranian intelligence services. Japanese office supply company Ascool has halted online orders following a cyber attack. Several small retailers that depend on askl have also suspended online orders. The ransomware attack occurred on Sunday. Hackers have gained access to 1,600 customer email accounts from Australian telco Dodo. The INC incident occurred on Friday and led to at least 34 cases of SIM swapping attacks against Dodo mobile accounts. The company has shut down its email system to prevent further attacks. Hackers have stolen $3.44 million worth of crypto from Defi platform Typus Finance. Last week, hackers exploited a vulnerability to drain funds from one of its smart contracts. Typus says it filed a police report less than two hours after the hack. A man's been sentenced to 24 weeks in a UK prison for spamming London underground commuters with an SMS blaster. The British Transport Police arrested 31 year old Kong Ji Chen in July after he was seen loitering in metro stations without actually taking any trains. He was carrying an SMS blaster inside a large green suitcase. Chen initially claimed he did not know what was in the suitcase he'd been given. He later pleaded guilty. A 25 year old has been arrested in Belarus over running a cybercrime service that registered and traded bank accounts. The service had more than 1,700 users who registered bank accounts in different regions and sold access to them on the platform. Bank accounts were registered across several former Soviet states and used to launder stolen funds. More than 70 individuals were detained in the operation. Meta has suspended more than 8 million Facebook and Instagram accounts linked to online scams this year. The company has linked the accounts to scam compounds in Myanmar, Laos, Cambodia, the UAE and the Philippines. Last year, the company suspended 2 million accounts linked to scam compounds. A cluster of malicious Chrome extensions is injecting code into the WhatsApp web client to send spam messages. The cluster includes 131 extensions with an install base of almost 21,000. Their campaign is primarily targeting Brazilian users. Socket Security says it notified Google, but the extensions are still available in the Chrome Web Store. A vulnerability in the Better Auth authentication framework allows attackers to mint API keys with elevated privileges for any user. The vulnerability is in a plugin used for building systems where users log in using API keys. According to zeropath, exploitation involves a single unauthenticated post request. Multiple unpatched vulnerabilities are exposing users of Canadian router vendor Mercu. The bugs can allow attackers to reset passwords and run malicious code on the devices. A security researcher notified the company of the flaws a year ago, but they remain unpatched. Researchers also notified the company that its support portal had been hacked in June last year, but did not receive a response. And finally, Scouting America has announced two new merit badges for AI and cybersecurity achievements. Members can gain the badges by passing the organization's new AI and cybersecurity training courses. Boy Scouts can receive the cybersecurity badge by learning how to spot malware and phishing emails, setting strong passwords and using firewalls. And that is all for this podcast edition. Today's show was brought to you by our sponsor, DropZone. Find them at DropZone AI thanks to your company. Sam.