Malware targeting macOS via OpenVSX Extenstions #38
Thu Feb 05 2026
A sophisticated supply chain attack is currently targeting the macOS developer community through the Open VSX Registry, an open-source alternative to the Microsoft Visual Studio Marketplace. Attackers are leveraging the platform's vendor-neutral nature to distribute malicious extensions that masquerade as legitimate development utilities. These tools use a "shimmer" technique to perform expected functions while secretly executing background scripts that establish system persistence and exfiltrate highly sensitive data, including keychain information, browser cookies, and SSH keys.
To combat this threat, the Eclipse Foundation has implemented a significant security overhaul, mandating automated pre-publish scans for all submissions to detect malware signatures and suspicious code patterns. Additionally, the introduction of a verified publisher system aims to replace anonymous contributions with a "web of trust" by linking accounts to reputable developer profiles. Security experts now urge macOS users to audit their existing extensions and move toward pinned versions in development environments to prevent automated updates from introducing compromised code.
Welcome to the Crystal Carrier Wave, on today's show I discuss a massive security breach at the heart of the developer community where the Notepad++ update mechanism was hijacked to deliver targeted malware. We follow this with a deepening crisis in healthcare data security as a major provider reports that over 700,000 patients have now been impacted by a single breach. In the browser wars, Mozilla is taking a stand for privacy by making its new AI features strictly opt-in, while the FFmpeg project is drawing a hard line in the sand by rejecting AI-generated code patches to protect software integrity.
Moving into the world of big tech, Google Messages is finally bringing back a much-requested edit history feature, while Microsoft has been busy patching a strange bug that caused password sign-in options to vanish entirely. Windows 11 users are also navigating a desktop-breaking glitch that requires some manual intervention to fix. On the security front, Russian state-sponsored hackers are already exploiting a recently patched Office bug, reminding us all why immediate updates are critical.
In hardware news, Intel has launched the high-performance Xeon 600 series for workstations, while Adobe is officially saying goodbye to Animate as they pivot their entire strategy toward generative AI. Microsoft is also trimming its cloud portfolio by ending several standalone SharePoint and OneDrive plans. For the Linux enthusiasts, the KDE project has made a controversial decision to bind itself exclusively to systemd, and OpenAI is preparing users for the retirement of the GPT-4o model on February 13th. We also look at a US investigation into Meta’s encryption claims and the growing global backlash against the flood of AI-generated slop on social media.
For the makers and electronics hobbyists, we dive into the technical feat of defeating a 40-year-old copy protection dongle and the nostalgic beauty of using a 128-byte core memory module as a modern flash drive. Microchip is expanding its reach into automotive displays with new touchscreen ICs, and STMicroelectronics is consolidating its lead in the sensor market by acquiring NXP’s MEMS business. We also take a look at a massive, super-sized Arduino Uno and the new community-driven device database from Home Assistant, plus a $20,000 hacking challenge from Raspberry Pi that just became a little easier to enter.
Finally, in our amateur radio and LPFM segment, we highlight a vital new CHIRP file for Florida’s SARnet operators and a community effort to keep the HamClock backend alive after the passing of its creator. We wrap up with the fun news that the real WKRP is willing to share its legendary call sign with other stations to help fund the next generation of non-profit community radio.
Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe
Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions
Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
Major health provider data breach may have affected thousands more people - over 700k now thought to have been hit
Firefox Goes Opt-In AI As Mozilla Pushes Open Source Alternative To Big Tech
FFmpeg Enforces Human Review Standards, Pushes Back On AMD’s AI-Style Patch
Google Messages could soon bring back a crucial feature that was quietly removed
Microsoft fixes bug causing password sign-in option to disappear
Windows 11 bug breaks the entire desktop for some users — but luckily there's a fix
Russian hackers exploit recently patched Microsoft Office bug in attacks
Intel Launches new Intel® Xeon® 600 Processors for Workstation
Adobe Animate is shutting down as company focuses on AI
Microsoft ends some standalone SharePoint and OneDrive plans
KDE Binds Itself Tightly To Systemd, Drops Support For Non-Systemd Systems
ChatGPT-4o is going away on February 13 — here are 5 ways you can survive the upcoming 4o-pocalypse
US authorities reportedly investigate claims that Meta can read encrypted WhatsApp messages
AI 'slop' is transforming social media - and there's a backlash
U.S tech backlash grows as countries and startups seek alternatives
Defeating a 40-year-old copy protection dongle
A 128 byte core memory module as a flash drive
Microchip Intros Touchscreen ICs for Broader Automotive Display Size Ranges
STMicroelectronics expands sensors capabilities with closing of acquisition of NXP’s MEMS business
There's nothing micro about this super-sized Arduino Uno
Home Assistant Opens Contributions for the Open Home Foundation Device Database
Raspberry Pi Relaxes the Rules for Its RP2040 Hacking Challenge, $20,000 Still Up for Grabs
The Best CHIRP File for SARnet
open-hamclock-backend Aims to Keep HamClock Ticking
WKRP (a Real One) Is Willing to Share Its Call Sign
More
A sophisticated supply chain attack is currently targeting the macOS developer community through the Open VSX Registry, an open-source alternative to the Microsoft Visual Studio Marketplace. Attackers are leveraging the platform's vendor-neutral nature to distribute malicious extensions that masquerade as legitimate development utilities. These tools use a "shimmer" technique to perform expected functions while secretly executing background scripts that establish system persistence and exfiltrate highly sensitive data, including keychain information, browser cookies, and SSH keys. To combat this threat, the Eclipse Foundation has implemented a significant security overhaul, mandating automated pre-publish scans for all submissions to detect malware signatures and suspicious code patterns. Additionally, the introduction of a verified publisher system aims to replace anonymous contributions with a "web of trust" by linking accounts to reputable developer profiles. Security experts now urge macOS users to audit their existing extensions and move toward pinned versions in development environments to prevent automated updates from introducing compromised code. Welcome to the Crystal Carrier Wave, on today's show I discuss a massive security breach at the heart of the developer community where the Notepad++ update mechanism was hijacked to deliver targeted malware. We follow this with a deepening crisis in healthcare data security as a major provider reports that over 700,000 patients have now been impacted by a single breach. In the browser wars, Mozilla is taking a stand for privacy by making its new AI features strictly opt-in, while the FFmpeg project is drawing a hard line in the sand by rejecting AI-generated code patches to protect software integrity. Moving into the world of big tech, Google Messages is finally bringing back a much-requested edit history feature, while Microsoft has been busy patching a strange bug that caused password sign-in options to vanish entirely. Windows 11 users are also navigating a desktop-breaking glitch that requires some manual intervention to fix. On the security front, Russian state-sponsored hackers are already exploiting a recently patched Office bug, reminding us all why immediate updates are critical. In hardware news, Intel has launched the high-performance Xeon 600 series for workstations, while Adobe is officially saying goodbye to Animate as they pivot their entire strategy toward generative AI. Microsoft is also trimming its cloud portfolio by ending several standalone SharePoint and OneDrive plans. For the Linux enthusiasts, the KDE project has made a controversial decision to bind itself exclusively to systemd, and OpenAI is preparing users for the retirement of the GPT-4o model on February 13th. We also look at a US investigation into Meta’s encryption claims and the growing global backlash against the flood of AI-generated slop on social media. For the makers and electronics hobbyists, we dive into the technical feat of defeating a 40-year-old copy protection dongle and the nostalgic beauty of using a 128-byte core memory module as a modern flash drive. Microchip is expanding its reach into automotive displays with new touchscreen ICs, and STMicroelectronics is consolidating its lead in the sensor market by acquiring NXP’s MEMS business. We also take a look at a massive, super-sized Arduino Uno and the new community-driven device database from Home Assistant, plus a $20,000 hacking challenge from Raspberry Pi that just became a little easier to enter. Finally, in our amateur radio and LPFM segment, we highlight a vital new CHIRP file for Florida’s SARnet operators and a community effort to keep the HamClock backend alive after the passing of its creator. We wrap up with the fun news that the real WKRP is willing to share its legendary call sign with other stations to help fund the next generation of non-profit community radio. Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users Major health provider data breach may have affected thousands more people - over 700k now thought to have been hit Firefox Goes Opt-In AI As Mozilla Pushes Open Source Alternative To Big Tech FFmpeg Enforces Human Review Standards, Pushes Back On AMD’s AI-Style Patch Google Messages could soon bring back a crucial feature that was quietly removed Microsoft fixes bug causing password sign-in option to disappear Windows 11 bug breaks the entire desktop for some users — but luckily there's a fix Russian hackers exploit recently patched Microsoft Office bug in attacks Intel Launches new Intel® Xeon® 600 Processors for Workstation Adobe Animate is shutting down as company focuses on AI Microsoft ends some standalone SharePoint and OneDrive plans KDE Binds Itself Tightly To Systemd, Drops Support For Non-Systemd Systems ChatGPT-4o is going away on February 13 — here are 5 ways you can survive the upcoming 4o-pocalypse US authorities reportedly investigate claims that Meta can read encrypted WhatsApp messages AI 'slop' is transforming social media - and there's a backlash U.S tech backlash grows as countries and startups seek alternatives Defeating a 40-year-old copy protection dongle A 128 byte core memory module as a flash drive Microchip Intros Touchscreen ICs for Broader Automotive Display Size Ranges STMicroelectronics expands sensors capabilities with closing of acquisition of NXP’s MEMS business There's nothing micro about this super-sized Arduino Uno Home Assistant Opens Contributions for the Open Home Foundation Device Database Raspberry Pi Relaxes the Rules for Its RP2040 Hacking Challenge, $20,000 Still Up for Grabs The Best CHIRP File for SARnet open-hamclock-backend Aims to Keep HamClock Ticking WKRP (a Real One) Is Willing to Share Its Call Sign