A fast-moving supply-chain worm, dubbed GlassWorm by Koi Security, has been found hiding inside multiple Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. The campaign highlights how developers, and their tooling, are now prime targets for large scale compromise, because extensions can auto-update and run code on developer machines.
What happened, at a glance
Security researchers say GlassWorm is a self-propagating piece of malware that infected 14 VS Code extensions, 13 on Open VSX and one on the Microsoft Marketplace, collectively downloaded about 35,800 times. The first wave of infections began on October 17, 2025. This incident follows another DevOps supply-chain worm, Shai-Hulud, which targeted the npm ecosystem in mid-September 2025, indicating a worrying trend in developer-focused attacks.
How GlassWorm operates, high level
GlassWorm uses several unconventional techniques to remain stealthy and resilient, for example:
- It leverages the Solana blockchain as the primary command and control channel, which makes takedown and tracking harder, because the blockchain is decentralized.
- As a fallback C2 it parses Google Calendar events for encoded commands, giving it redundancy.
- The attackers employed invisible Unicode variation selector characters, which do not render visually in editors, to hide malicious code inside otherwise benign-looking files, making code reviews less likely to spot the payload.
Rather than being a single data-stealer, the campaign assembles a modular toolkit that gathers credentials for npm, Open VSX, GitHub, and Git, extracts wallet data, and then escalates the compromise to spread further across packages and extensions.
Notable capabilities of the malware
Researchers report the attacker toolchain and payloads include, but are not limited to, the following capabilities:
- Credential theft for developer services and crypto wallets, including draining funds from 49 targeted wallet extensions.
- Deployment of SOCKS proxy servers on compromised machines, turning infected developer hosts into traffic relays for criminal activity.
- Installation of hidden VNC servers, aka HVNC, to provide persistent remote access.
- Use of peer-to-peer and decentralized mechanisms, such as WebRTC and BitTorrent DHT, to distribute commands and payloads, which increases the worm’s resilience.
- A JavaScript module, named Zombi by researchers, that acts as the second-stage payload and orchestrates much of the remote control, proxying, and lateral propagation.
Infected extensions, and scope
The infected extensions include the following packages, in the listed versions, researchers say:
- codejoy.codejoy-vscode-extension 1.8.3, 1.8.4
- l-igh-t.vscode-theme-seti-folder 1.2.3
- kleinesfilmroellchen.serenity-dsl-syntaxhighlight 0.3.2
- JScearcy.rust-doc-viewer 4.2.1
- SIRILMP.dark-theme-sm 3.11.4
- CodeInKlingon.git-worktree-menu 1.0.9, 1.0.91
- ginfuru.better-nunjucks 0.3.2
- ellacrity.recoil 0.7.4
- grrrck.positron-plus-1-e 0.0.71
- jeronimoekerdt.color-picker-universal 2.8.91
- srcery-colors.srcery-colors 0.3.9
- sissel.shopify-liquid 4.0.1
- TretinV3.forts-api-extention 0.3.1
- cline-ai-main.cline-ai-agent 3.1.3, on the Microsoft Extension Marketplace
Together these packages were installed tens of thousands of times, amplifying the worm’s reach.
Why this is especially dangerous
Several factors raise the risk level for GlassWorm:
- VS Code extensions can auto-update, which allows attackers to push malicious code later, without user interaction.
- Use of blockchain and decentralized channels for C2 means standard take-down procedures are less effective.
- Visual obfuscation via invisible Unicode chars defeats naive code inspection and many automated scanners.
- Once developer credentials or tokens are stolen, attackers can compromise repositories and packages, creating an automated propagation loop inside the software supply chain.
Mitigations and recommendations, practical steps for developers and teams
Developers and organizations should prioritize hardening developer endpoints and supply chains, for example:
- Audit installed extensions regularly, remove unused or untrusted ones, and restrict extension installs in managed environments.
- Disable automatic extension updates for sensitive developer machines, or enable updates only via an internal, reviewed mirror.
- Enforce multi-factor authentication and rotate tokens and keys after any suspected compromise.
- Monitor for unusual outbound connections, unexpected SOCKS services, or anomalous processes, and investigate promptly.
- Use code review tools that normalize and flag invisible or non-printing Unicode characters, and include such checks in CI.
- Treat any developer machine as a high-value asset, apply endpoint protection and least privilege controls.
