- Three malicious Visual Studio Code extensions linked to the GlassWorm campaign remain available for download.
- GlassWorm uses invisible Unicode characters to hide malicious code and spreads by stealing developer credentials.
- Attackers exploit blockchain-based command-and-control infrastructure for resilience against takedowns.
- A partial victim list includes global organizations, including a major Middle Eastern government entity.
- The threat actor is identified as Russian-speaking and uses an open-source browser extension framework named RedExt.
Cybersecurity experts have revealed that three harmful extensions tied to the GlassWorm campaign targeting the Visual Studio Code (VS Code) environment are still accessible for download. The discovery underscores ongoing efforts by threat actors to infiltrate the VS Code ecosystem. Details of these extensions can be found in the linked Malware-expose-attacker-infrastructure”>report.
GlassWorm first emerged late last month and operates by exploiting VS Code extensions from the Open VSX Registry and Microsoft Extension Marketplace. The campaign steals credentials from Open VSX, GitHub, and Git, drains funds from 49 cryptocurrency wallet extensions, and deploys additional remote access tools. It notably hides malicious code using invisible Unicode characters within code editors, a method aiding in evasion.
After Open VSX removed all malicious extensions and rotated tokens on October 21, 2025, research from Koi Security shows the attack resurfaced with the same obfuscation technique. Security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery stated, “The attacker has posted a fresh transaction to the Solana Blockchain, providing an updated C2 [command-and-control] endpoint for downloading the next-stage payload.” They added that blockchain-based command systems allow attackers to update payload locations cheaply and reliably, ensuring infected systems automatically fetch new server addresses.
Further investigation uncovered an exposed endpoint on the attacker’s server, revealing a partial list of victims across the U.S., South America, Europe, and Asia. The list notably includes a major government entity based in the Middle East. Keylogger data from the attacker’s own machine indicates the threat actor likely speaks Russian and employs an open-source browser extension C2 platform called RedExt.
Additional findings from Aikido Security reveal GlassWorm has expanded to target GitHub repositories, using stolen credentials to introduce malicious code commits. This ongoing campaign poses risks to real organizations and individuals whose systems and credentials may have been compromised.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Saudi Arabia Nears Launch of State-Backed Stablecoin, Pioneering Fintech
- OpenAI Eyes Healthcare, Aims to Solve Personal Health Record Puzzle
- Jim Chanos Ends MSTR Short, Signals Bitcoin Treasury Bottom
- Massive Phishing Campaign Targets Hotels with ClickFix Malware
- BRICS Weighs Article 6 vs Independent Path for Carbon Markets
