BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

GlassWorm Malware Targets VS Code with New Malicious Extensions

GlassWorm Campaign: Malicious VS Code Extensions Use Unicode Obfuscation, Blockchain C2, and Credential Theft to Target Global Organizations

  • Three malicious Visual Studio Code extensions linked to the GlassWorm campaign remain available for download.
  • GlassWorm uses invisible Unicode characters to hide malicious code and spreads by stealing developer credentials.
  • Attackers exploit blockchain-based command-and-control infrastructure for resilience against takedowns.
  • A partial victim list includes global organizations, including a major Middle Eastern government entity.
  • The threat actor is identified as Russian-speaking and uses an open-source browser extension framework named RedExt.

Cybersecurity experts have revealed that three harmful extensions tied to the GlassWorm campaign targeting the Visual Studio Code (VS Code) environment are still accessible for download. The discovery underscores ongoing efforts by threat actors to infiltrate the VS Code ecosystem. Details of these extensions can be found in the linked Malware-expose-attacker-infrastructure”>report.

- Advertisement -

GlassWorm first emerged late last month and operates by exploiting VS Code extensions from the Open VSX Registry and Microsoft Extension Marketplace. The campaign steals credentials from Open VSX, GitHub, and Git, drains funds from 49 cryptocurrency wallet extensions, and deploys additional remote access tools. It notably hides malicious code using invisible Unicode characters within code editors, a method aiding in evasion.

After Open VSX removed all malicious extensions and rotated tokens on October 21, 2025, research from Koi Security shows the attack resurfaced with the same obfuscation technique. Security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery stated, “The attacker has posted a fresh transaction to the Solana Blockchain, providing an updated C2 [command-and-control] endpoint for downloading the next-stage payload.” They added that blockchain-based command systems allow attackers to update payload locations cheaply and reliably, ensuring infected systems automatically fetch new server addresses.

Further investigation uncovered an exposed endpoint on the attacker’s server, revealing a partial list of victims across the U.S., South America, Europe, and Asia. The list notably includes a major government entity based in the Middle East. Keylogger data from the attacker’s own machine indicates the threat actor likely speaks Russian and employs an open-source browser extension C2 platform called RedExt.

Additional findings from Aikido Security reveal GlassWorm has expanded to target GitHub repositories, using stolen credentials to introduce malicious code commits. This ongoing campaign poses risks to real organizations and individuals whose systems and credentials may have been compromised.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Bitcoin Drops 4% on Geopolitical Tensions, Market Risk-Off

Bitcoin fell to $61,750.90 on Monday, July 13, as geopolitical tensions over the Strait...

New macOS Malware ‘CrashStealer’ Steals Crypto, Passwords

Researchers at Jamf Threat Labs have discovered a new macOS information stealer called CrashStealer...

Trump Urges Senate to Pass Crypto Clarity Act in Honor of Late Lindsey Graham

President Donald Trump urged the Senate to pass the Crypto Clarity Act in honor...

Google pushes TPUs to neoclouds, challenging Nvidia

Google is expanding sales of its custom TPU chips to independent cloud providers, moving...

BlueMove $500K SUI heist sparks insider job fears

Approximately $500,000 worth of Sui tokens was drained from BlueMove DEX's locked liquidity pools...

Must Read

What Are Sniper Bots Used in Defi Trading?

You've heard about DeFi, but what about sniper bots? These high-speed trading tools are shaking up the crypto scene.But don't fret, you're not...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading