BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

GlassWorm Worm Targets VS Code Extensions in Major Supply Chain Attack

GlassWorm: A Self-Propagating Worm Infecting Visual Studio Code Extensions Using Solana Blockchain and Google Calendar for Command-and-Control

  • A self-propagating worm called GlassWorm spreads through Visual Studio Code extensions on the Open VSX Registry and Microsoft Extension Marketplace.
  • The attack uses the Solana Blockchain and Google Calendar as command-and-control (C2) methods to avoid takedown.
  • GlassWorm steals developer credentials, compromises cryptocurrency wallets, and installs proxy and remote access tools.
  • The Malware exploits invisible Unicode characters to hide malicious code within extensions downloaded about 35,800 times.
  • GlassWorm autonomously spreads through auto-updating extensions, representing a new type of self-sustaining supply chain attack.

On October 17, 2025, Cybersecurity researchers identified a self-spreading worm named GlassWorm infecting Visual Studio Code (VS Code) extensions available on the Open VSX Registry and Microsoft Extension Marketplace. This malware targets developers by harvesting sensitive credentials and compromising their systems.

- Advertisement -

The infected extensions include 13 on Open VSX and one on Microsoft’s marketplace, which have been downloaded approximately 35,800 times. The names of these extensions cover various utilities such as themes and code viewers. How the attackers took control of these extensions remains unclear.

GlassWorm uses the Solana blockchain to send commands to infected machines. It checks transactions related to an attacker-controlled Solana wallet to retrieve encoded instructions. If this fails, it falls back to Google Calendar events for additional C2 instructions. According to a technical report by Idan Dardikman, the malware employs invisible Unicode variation selector characters that make its code hidden in editors.

The worm collects npm, Open VSX, GitHub, and Git credentials; drains funds from 49 types of cryptocurrency wallet extensions; and sets up SOCKS proxy servers and hidden remote access tools (HVNC) on infected systems. It also installs modules for peer-to-peer communication and decentralized command distribution. The payload called Zombi extends functionality further, turning infections into fully compromised machines.

The auto-update feature of VS Code extensions allows GlassWorm to spread without user interaction. Dardikman described the threat as a worm that can rapidly propagate throughout the developer ecosystem. This incident follows a similar attack, the Shai-Hulud worm, which targeted the npm ecosystem in September 2025.

- Advertisement -

These attacks highlight growing use of blockchain technology by threat actors to avoid detection and takedown. Blockchain provides pseudonymity and flexible communication channels, making it an attractive tool for cybercrime campaigns.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

RWAs Overtake Bitcoin as Hyperliquid’s Largest Open Interest

Hyperliquid's RWA perpetuals hit a record $3.6 billion in open interest, overtaking Bitcoin and...

SK Hynix ADR gains vanish in under a day

SK Hynix's ADRs rose 12.7% on Nasdaq debut Friday but the entire gain was...

Binance futures hit 2026 high as spot market lags

Binance recorded $1.6 trillion in futures trading volume in June, its highest level of...

CISA adds two critical Joomla extension flaws to KEV list

U.S. CISA added two maximum-severity Joomla extension flaws to its Known Exploited Vulnerabilities (KEV)...

Russia, India push de-dollarization to hit $100 billion trade target

Russia and India are accelerating a bilateral trade deal to reach a $100 billion...

Must Read

What is Moon Tropica (CAH) – Technology, Tokenomics, Game Preview

Gaming enthusiasts and crypto enthusiasts, hHave you heard about Moon Tropica? If you're longing for that nostalgic feel of classic games from your childhood...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading