A dangerous new malware called GlassWorm has made a return, targeting developers through Visual Studio Code (VS Code) extensions. This self-spreading worm is capable of infecting legitimate extensions, stealing developer credentials, and even taking remote control of systems. The campaign was first detected in October 2025 and, despite cleanup efforts, researchers have confirmed that new infected extensions appeared again in early November 2025 proving that the threat is far from over.
GlassWorm spreads through malicious VS Code extensions uploaded to online repositories like Open VSX and GitHub. Once a user installs an infected extension, the worm automatically starts to propagate by compromising other extensions on the system and uploading them to public marketplaces under new names. It’s not just another piece of malware it’s designed to multiply itself in the development ecosystem, which makes it much harder to stop.
What makes GlassWorm especially tricky is the way it hides. Researchers discovered that the attackers used invisible Unicode characters in the source code to disguise malicious commands. To the naked eye, the infected files look completely normal, even to experienced developers. This clever obfuscation allows the worm to bypass most static security scanners and simple code reviews, making it a silent but powerful threat in the coding environment.
The malware’s behavior is deeply concerning. Once inside a system, GlassWorm steals credentials from GitHub, npm, and other developer tools. It also searches for cryptocurrency wallet extensions more than 40 different types to drain any funds it can access. Additionally, it sets up hidden SOCKS proxy servers, allowing attackers to route internet traffic through infected computers. In some cases, the worm even installs VNC servers, which can give remote access to hackers without the user’s knowledge.
Researchers also revealed that GlassWorm uses advanced communication methods. Instead of relying on traditional servers for command and control, the malware uses the Solana blockchain to receive instructions, making it extremely difficult to track or shut down. It even uses Google Calendar events as a backup communication channel. This level of sophistication shows that the threat actors behind GlassWorm are highly skilled and well-resourced.
Security analysts have already found several known infected extensions. Some of these include “codejoy.codejoy-vscode-extension,” “l-igh-t.vscode-theme-seti-folder,” and “cline-ai-main.cline-ai-agent,” among others. These extensions were downloaded thousands of times before being taken down. Since VS Code extensions can update automatically, many developers may have been infected without realizing it. Even though the malicious versions were removed, new variants continue to appear.
Experts are warning developers to take immediate precautions. Anyone using VS Code should carefully review their installed extensions and remove any they don’t recognize or no longer need. It’s also important to reset credentials, rotate tokens, and check for suspicious network connections. Using verified sources and trusted extension authors can greatly reduce the risk of infection. Developers are also advised to scan their systems with updated antivirus tools and keep backups of important files.
In short, GlassWorm represents a new wave of supply-chain attacks targeting the very tools developers rely on every day. Its use of invisible code, blockchain communication, and self-propagation makes it one of the most advanced threats seen in the software ecosystem. The incident is a clear reminder that cybersecurity now extends far beyond servers and endpoints even developer environments must be treated as critical assets that require constant monitoring and protection.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
