- A self-propagating worm called GlassWorm spreads through Visual Studio Code extensions on the Open VSX Registry and Microsoft Extension Marketplace.
- The attack uses the Solana Blockchain and Google Calendar as command-and-control (C2) methods to avoid takedown.
- GlassWorm steals developer credentials, compromises cryptocurrency wallets, and installs proxy and remote access tools.
- The Malware exploits invisible Unicode characters to hide malicious code within extensions downloaded about 35,800 times.
- GlassWorm autonomously spreads through auto-updating extensions, representing a new type of self-sustaining supply chain attack.
On October 17, 2025, Cybersecurity researchers identified a self-spreading worm named GlassWorm infecting Visual Studio Code (VS Code) extensions available on the Open VSX Registry and Microsoft Extension Marketplace. This malware targets developers by harvesting sensitive credentials and compromising their systems.
The infected extensions include 13 on Open VSX and one on Microsoft’s marketplace, which have been downloaded approximately 35,800 times. The names of these extensions cover various utilities such as themes and code viewers. How the attackers took control of these extensions remains unclear.
GlassWorm uses the Solana blockchain to send commands to infected machines. It checks transactions related to an attacker-controlled Solana wallet to retrieve encoded instructions. If this fails, it falls back to Google Calendar events for additional C2 instructions. According to a technical report by Idan Dardikman, the malware employs invisible Unicode variation selector characters that make its code hidden in editors.
The worm collects npm, Open VSX, GitHub, and Git credentials; drains funds from 49 types of cryptocurrency wallet extensions; and sets up SOCKS proxy servers and hidden remote access tools (HVNC) on infected systems. It also installs modules for peer-to-peer communication and decentralized command distribution. The payload called Zombi extends functionality further, turning infections into fully compromised machines.
The auto-update feature of VS Code extensions allows GlassWorm to spread without user interaction. Dardikman described the threat as a worm that can rapidly propagate throughout the developer ecosystem. This incident follows a similar attack, the Shai-Hulud worm, which targeted the npm ecosystem in September 2025.
These attacks highlight growing use of blockchain technology by threat actors to avoid detection and takedown. Blockchain provides pseudonymity and flexible communication channels, making it an attractive tool for cybercrime campaigns.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Experiences Unprecedented Gold Boom with India and China Discovering Record-Breaking Mines
- Trump Pardon Bet Odds Jump for Bankman-Fried, Ver After Zhao Release
- US Energy Chief Urges FERC to Fast-Track Big Power Users Access
- WazirX Set to Restart Cryptocurrency Trading Officially
- September CPI Release May Cause Ether Volatility Surge vs Bitcoin
