Self-spreading 'glassworm' Infects Vs Code Extensions In Wides...
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.
The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025.
What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism.
Another novel aspect is that the GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors," Idan Dardikman said in a technical report. "The attacker used Unicode variation selectors – special characters that are part of the Unicode specification but don't produce any visual output."
The end goal of the attack is to harvest npm, Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, deploy SOCKS proxy servers to turn developer machines into conduits for criminal activities, install hidden VNC (HVNC) servers for remote access, and weaponize the stolen credentials to compromise additional packages and extensions for further propagation.
The names of the infected extensions, 13 of them on Open VSX and one on the Microsoft Extension Marketplace, are listed below. These extensions have been downloaded about 35,800 times. The first wave of infections took place on October 17, 2025. It's currently not known how these extensions were hijacked.
The malicious code concealed within the extensions is designed to search for transactions associated with an attacker-controlled wallet on the Solana blockchain, and if found, it proceeds to extract a Base64-encoded string from the memo field that decodes to the C2 server ("217.69.3[.]218" or "199.247.10[.]166") used for retrieving the next-stage payload.
The payload is an information stealer that captures credentials, authentication tokens, and cryptocurrency wallet data, and reaches out to a Google Calendar event to parse another Base64-encoded string and contact the same server to obtain a payload codenamed Zombi. The data is exfiltrated to a remote endpoint ("140.82.52[.]31:80") managed by the threat actor.
Written
Source: The Hacker News
