The GlassWorm malware campaign has re-emerged, targeting the Visual Studio Code (VS Code) ecosystem with a new set of malicious extensions, signaling a persistent threat to developers.
This renewed activity follows initial disclosures of the sophisticated, self-propagating worm that aims to compromise credentials and cryptocurrency assets.
First documented by Koi Security, GlassWorm represents an advanced supply chain attack leveraging the Open VSX Registry and the Microsoft Extension Marketplace. Its primary objective is to harvest Open VSX, GitHub, Git, and npm credentials, siphon funds from 49 different cryptocurrency wallet extensions, and deploy tools for remote access, including hidden VNC (HVNC) servers and SOCKS proxy servers. The campaign initially infected 13 extensions on Open VSX and one on the Microsoft Extension Marketplace, accumulating approximately 35,800 downloads by mid-October 2025.
A defining characteristic of GlassWorm is its use of invisible Unicode characters to embed malicious code, effectively hiding its presence within code editors and bypassing detection mechanisms. While the malware utilizes stolen developer credentials to spread by compromising additional extensions, the Eclipse Foundation, which maintains Open VSX, has clarified that it requires this initial credential theft rather than self-replicating autonomously. The campaign’s command-and-control (C2) infrastructure employs the Solana blockchain for resilience, with Google Calendar serving as a fallback mechanism. Recent analysis also points to a Russian-speaking threat actor, who reportedly uses an open-source browser extension C2 framework called RedExt, capable of extracting cookies, browsing history, clipboard data, and performing system reconnaissance.
In response to the initial wave of attacks, Open VSX identified and removed all flagged malicious extensions, alongside rotating or revoking associated tokens by October 21, 2025. The Eclipse Foundation further acted to revoke leaked tokens and collaborated with the Microsoft Security Response Center (MSRC) to introduce a token prefix format, “ovsxat_”, to aid in scanning for exposed tokens. Despite these mitigation efforts, the threat has resurfaced with new malicious extensions, including ai-driven-dev.ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads), and yasuyuky.transient-emacs (2,431 downloads), still employing the same obfuscation technique, and has adapted to target GitHub projects.
The ongoing GlassWorm campaign underscores the escalating complexity of supply chain attacks and the continuous need for vigilance within developer ecosystems.