Cybersecurity researchers have uncovered a self-propagating worm that targets Visual Studio Code (VS Code) extensions via the Open VSX Registry and Microsoft Extension Marketplace, marking a significant threat to developers. Named GlassWorm by Koi Security, this sophisticated attack follows a similar supply chain incident involving the npm ecosystem just weeks prior.
The unique feature of this threat is its use of the Solana blockchain as its command-and-control (C2) infrastructure, enhancing its resistance to shutdown attempts. Additionally, it employs Google Calendar as a fallback for its C2 operations.
In a groundbreaking technique, the GlassWorm campaign utilizes invisible Unicode characters that effectively hide malicious code in source files. This method obscures the attacker’s intentions, allowing the malware to propagate discreetly among developers. The primary objectives of the GlassWorm worm include stealing credentials from npm, Open VSX, GitHub, and Git, draining funds from 49 different cryptocurrency wallet extensions, deploying SOCKS proxy servers to facilitate criminal activities, and installing hidden VNC (HVNC) servers for remote access—eventually compromising more packages and extensions.
Thirteen VS Code extensions from Open VSX and one from the Microsoft Extension Marketplace were identified as infected, having been downloaded around 35,800 times. The first detected wave of infections occurred on October 17, 2025, although the method of how these extensions were compromised remains unclear. The infected extensions include:
- codejoy.codejoy-vscode-extension (versions 1.8.3 and 1.8.4)
- l-igh-t.vscode-theme-seti-folder (version 1.2.3)
- kleinesfilmroellchen.serenity-dsl-syntaxhighlight (version 0.3.2)
- JScearcy.rust-doc-viewer (version 4.2.1)
- SIRILMP.dark-theme-sm (version 3.11.4)
- CodeInKlingon.git-worktree-menu (versions 1.0.9 and 1.0.91)
- ginfuru.better-nunjucks (version 0.3.2)
- ellacrity.recoil (version 0.7.4)
- grrrck.positron-plus-1-e (version 0.0.71)
- jeronimoekerdt.color-picker-universal (version 2.8.91)
- srcery-colors.srcery-colors (version 0.3.9)
- sissel.shopify-liquid (version 4.0.1)
- TretinV3.forts-api-extention (version 0.3.1)
- cline-ai-main.cline-ai-agent (version 3.1.3 from Microsoft Extension Marketplace)
The malware is designed to track transactions linked to a wallet controlled by the attacker on Solana, extracting coded strings from the memo field to contact the C2 server for further payloads. This payload acts as an information thief, collecting sensitive information such as credentials and cryptocurrency wallet data. It then utilizes Google Calendar to parse additional coded strings to contact the C2 server for further malicious actions.
The JavaScript-based Zombi module escalates the infection from GlassWorm to a full compromise, introducing a SOCKS proxy and HVNC for remote control. The automated update feature of VS Code extensions allows attackers to deploy malicious code without user consent, enhancing the spread of malicious software.
"This isn’t just a singular supply chain attack; it’s a worm deliberately made to propagate through the development ecosystem," noted Idan Dardikman from Koi Security. He emphasized that attackers are shifting their focus from compromising specific packages to creating self-sustaining malware that can rapidly infect broader software development environments.
This emergence of supply chain malware, particularly leveraging blockchain for operational stealth, reflects a worrisome trend in cyberattacks, exacerbated by the evolving tactics utilized by threat actors.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.