The GlassWorm malware resurfaced in a new campaign that targets developers through malicious Visual Studio Code extensions. Security researchers discovered multiple infected packages on major extension marketplaces, signalling a persistent supply-chain threat. The latest wave shows that attackers continue refining techniques to infiltrate development environments and steal high-value credentials.
How GlassWorm infiltrates developer tools
GlassWorm hides inside extensions uploaded to trusted marketplaces. Attackers rely on invisible Unicode characters that conceal malicious code from standard reviews. These hidden characters make the payload difficult to spot, even for experienced developers. Once an infected extension installs on a machine, the malware activates and collects data from integrated developer tools.
The malware focuses on platform credentials used for repositories and package publishing. Stolen credentials give attackers access to GitHub, npm, OpenVSX and other services. They can then push malicious updates, compromise projects and escalate attacks through supply-chain manipulation.
Details of the new campaign
Researchers identified dozens of new extensions linked to the current GlassWorm wave. Many appeared legitimate and gained significant download numbers before discovery. Some packages passed thousands of installations, which increased the reach of the malware.
Attackers expanded their infrastructure as well. They shifted command-and-control communication to blockchain activity that helps them remain operational even when hosting providers remove servers. The new approach complicates takedown efforts and gives the campaign higher resilience.
This wave shows attackers exploiting both the trust that developers place in extension marketplaces and the lack of strict verification for new uploads. Once developers install a compromised package, the malware gains access to their environment and collects sensitive information.
What GlassWorm steals
The GlassWorm malware collects a wide range of data:
- GitHub, npm and OpenVSX credentials
- Authentication tokens used for publishing packages
- Cryptocurrency-wallet extension data
- Configuration files and local development secrets
- System information that helps attackers pivot to remote control
The malware also installs additional components that enable remote access. It can deploy a hidden VNC client and act as a proxy host for attacker traffic. These features create a foothold that remains active even if the original extension is removed.
Risks for organisations
Compromised developer accounts can cause serious supply-chain incidents. Attackers may publish malicious updates, alter source code, or move deeper into an organisation’s infrastructure. Since developer tools often bypass traditional security controls, GlassWorm infections can remain invisible for long periods.
The campaign highlights the increasing difficulty of securing development environments. Attackers understand that credentials stored in local machines offer direct access to production systems, repository permissions and continuous-integration pipelines.
How defenders should respond
To reduce exposure, organisations should enforce strict extension policies. Teams should inspect every installed extension, remove untrusted packages and introduce approval workflows for external tools. Rotating tokens, enabling MFA and reviewing repository activity regularly can limit the impact of compromise.
Security teams should investigate unusual network traffic, unexpected marketplace logins or unexplained token activity. Sandboxed development environments provide additional defence by isolating extension behaviour.
Conclusion
The GlassWorm malware continues to evolve through new malicious VS Code extensions. Attackers exploit trusted marketplaces, hide harmful code inside invisible characters and steal credentials with high operational value. The new campaign proves that development environments remain a prime target for supply-chain attacks. Strong extension policies, better credential hygiene and continuous monitoring are essential to limit exposure and protect critical systems.


0 responses to “GlassWorm malware spreads through new wave of malicious VS Code extensions”