GlassWorm is a sophisticated, self-propagating worm malware that targets Visual Studio Code (VS Code) extensions distributed through open-source and proprietary marketplaces, such as OpenVSX (run by the Eclipse Foundation) and Microsoft’s Visual Studio Marketplace. It represents a significant evolution in software supply chain attacks, marking the first known instance of a self-spreading worm specifically designed for developer tooling ecosystems.
First identified in October 2025, it has since resurfaced in multiple waves, including a major resurgence as recently as December 2, 2025, compromising developer machines worldwide and potentially affecting tens of thousands of users.
Discovery and Timeline
• Initial Discovery (October 2025): Security researchers at Koi Security and Truesec uncovered GlassWorm on October 17, 2025, after it compromised seven extensions on OpenVSX, leading to 35,800 downloads. By October 19, it had spread to Microsoft’s marketplace, with ten extensions still active days later.
• Subsequent Waves: It reemerged in November 2025, despite containment efforts, and struck again on December 2, 2025, with 24 new malicious extensions impersonating popular tools like Flutter, React, Tailwind CSS, Vim, and Vue.js. These latest infections have racked up over 10,000 downloads and impacted at least 60 organizations across the U.S. and globally.
How It Spreads
GlassWorm exploits the trust in VS Code extension marketplaces by injecting malicious code into seemingly legitimate extensions. Key propagation methods include:
• Credential Theft for Automation: It harvests developer credentials from tools like NPM, GitHub, Git, and OpenVSX, using them to automatically publish new infected extensions—creating a worm-like exponential spread.
• Auto-Updates and Impersonation: Compromised extensions use built-in auto-update features to push malware silently. In recent waves, attackers inflate download counts artificially to rank malicious extensions near legitimate ones in search results, tricking developers into installing them.
• Marketplace Infiltration: It bypasses initial reviews by slipping code into the “activate” context of extensions after approval, affecting both Windows and macOS systems.
Techniques and Evasion
GlassWorm’s stealth is its hallmark:
• Invisible Unicode Obfuscation: Malicious JavaScript is hidden using non-printable Unicode characters (e.g., Private Use Area codes) that render as “invisible” in code editors and review tools, evading both automated scanners and human oversight.
• Rust-Based Implants (Recent Evolution): Newer variants embed Rust-compiled payloads as dynamic libraries (e.g., os.node DLL on Windows, darwin.node on macOS), which are harder to detect than pure JavaScript.
• Triple-Layer Persistence: It establishes registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) for boot-time execution and uses layered fallback mechanisms to ensure longevity.
Payloads and Capabilities
Once installed, GlassWorm executes a multi-stage payload focused on espionage, theft, and infrastructure abuse:
• Credential Harvesting: Steals login details for NPM, GitHub, OpenVSX, and Git repositories.
• Cryptocurrency Theft: Targets over 49 wallet extensions (e.g., MetaMask, Phantom) to drain digital assets.
• Proxy and Access Deployment: Installs SOCKS proxy servers to repurpose infected machines as anonymous relays for criminal operations; adds hidden VNC servers for full remote control.
• Exfiltration: Data is sent to endpoints like 140.82.52.31:80/wall.
This turns developers’ workstations into unwitting nodes in a botnet, enabling further attacks like DDoS amplification or targeted intrusions.
Command and Control (C2) Infrastructure
GlassWorm’s C2 is resilient and decentralized:
• Primary: Solana Blockchain: Commands are embedded in blockchain transactions (e.g., wallet 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2; sample transaction 49CDiVWZpuSW1b2HpzweMgePNg15dckgmqrrmpihYXJMYRsZvumVtFsDim1keESPCrKcW2CzYjN3nSQDGG14KKFM), making it takedown-resistant.
• Fallbacks: Direct IP connections (e.g., 217.69.3.218) for payload downloads and Google Calendar events (e.g., https://calendar.app.google/M2ZCvM8ULL56PD1d6, organizer uhjdclolkdn@gmail.com) as backups to fetch encrypted JavaScript stages.
Impacts
• Scale: Over 35,800 initial infections, with recent waves adding thousands more; partial victim lists show 60+ organizations hit, but the true number is likely higher due to underreporting.
• Consequences: Developers face credential compromise leading to broader supply chain risks, financial losses from crypto theft, and machine hijacking for illicit activities. It undermines trust in essential dev tools, amplifying risks in open-source ecosystems.
Mitigations and Responses
Marketplaces like OpenVSX and Microsoft have revoked compromised accounts, removed identified extensions (e.g., prisma-inc.prisma-studio-assistance on December 1, 2025), and enhanced filters—but attackers continue to adapt. Recommended defenses include:
• Extension Hygiene: Maintain an inventory of installed extensions; remove unused ones and use centralized allowlists.
• Pre-Installation Checks: Scan extensions for suspicious network calls, dependencies, or API usage; verify publisher reputation, reviews, and update history.
• Behavioral Controls: Disable auto-updates; monitor for unusual activity like outbound connections to known C2 IPs.
• Broader Security: Use endpoint detection tools to scan for Unicode anomalies or Rust implants; rotate credentials regularly and enable multi-factor authentication (MFA) on dev accounts.
Ongoing vigilance is crucial, as GlassWorm’s blockchain resilience and impersonation tactics suggest it could evolve further. Developers should treat all extensions as potential vectors in supply chain threats.