GlassWorm: Self-Spreading Malware Infects VS Code Extensions in Major Supply-Chain Attack

A new cyber threat named GlassWorm has been discovered attacking Visual Studio Code (VS Code) extensions. Security experts have confirmed it as the first-ever self-spreading worm targeting developers. It has already infected extensions on both the Microsoft VS Code Marketplace and the OpenVSX registry, with over 35,000 downloads recorded so far.

GlassWorm hides its malicious code using invisible Unicode characters, which appear as blank spaces in files. This trick allows it to bypass both human review and automated scanners. When users install or update an infected extension, the hidden code runs automatically. That’s how the worm silently activates without drawing attention.

Once active, GlassWorm starts stealing developer credentials and access tokens from platforms like GitHub, npm, and OpenVSX. With these stolen credentials, it uploads infected extensions under legitimate accounts. This lets the worm spread automatically to new users without direct downloads. It’s a self-replicating chain that grows rapidly inside developer environments.

The malware doesn’t stop there it also hunts for cryptocurrency wallets and sensitive data. Researchers say it scans for over 49 different wallet extensions to steal keys and digital funds. GlassWorm can also install SOCKS proxies and remote-access tools, allowing hackers to secretly control infected systems. This turns normal developer machines into hidden attack nodes.

Another dangerous feature of GlassWorm is its communication system. Instead of using normal servers, it relies on blockchain networks and even Google Calendar events to receive commands. This decentralized design makes takedowns extremely difficult. Even if one control method is blocked, another backup channel keeps the worm alive.

Experts warn that this attack is a serious supply-chain threat to developers worldwide. Many popular extensions might already carry hidden infections. Teams using VS Code should review their installed extensions and remove any suspicious or unnecessary ones. Even trusted publishers may have been unknowingly compromised.

To stay safe, developers should rotate all stored tokens for GitHub, npm, and other services immediately. Security teams must also scan systems for strange background activity or new network connections. Adding Unicode detection tools and multi-person reviews before publishing extensions can help prevent reinfection. Caution now can stop a bigger outbreak later.

The discovery of GlassWorm shows how attackers are shifting focus toward developer tools. Instead of targeting users directly, they infect the software builders rely on. This incident is a strong reminder that every part of the development process needs protection. Staying alert and applying strict security practices are the best defenses against such evolving threats.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news