GlassWorm – The Stealth Malware in the Extension Era

• 28/10/2025

A new supply chain attack campaign is silently spreading across the globe, targeting software developers — including users of OpenVSX and Microsoft Visual Studio Code (VS Code).

The malicious software, named GlassWorm, has been downloaded more than 35,800 times, turning developers’ computers into “links” in a growing cybercriminal network.

Sophisticated Attack Techniques

GlassWorm was discovered after security researchers analyzed suspicious extensions on the OpenVSX repository.
What makes it especially dangerous is its use of invisible Unicode characters to hide malicious code, effectively making it disappear — even when developers manually inspect the source in their code editors.

Once installed, GlassWorm self-propagates by stealing developer credentials (GitHub, npm, OpenVSX, etc.) and using compromised accounts to distribute more infected extensions.

When active, the malware can:

• Hide malicious JavaScript code using invisible Unicode characters

• Steal login credentials from popular developer platforms

• Exfiltrate crypto wallet data from over 40 cryptocurrency-related extensions

• Install SOCKS proxy and HVNC (Hidden Virtual Network Computing) for remote control

• Activate the ZOMBI payload, turning the victim’s machine into a node in a botnet

Notably, GlassWorm uses the Solana blockchain to host its command-and-control (C2) instructions, allowing attackers to evade detection and takedown.
It also employs Google Calendar and BitTorrent DHT as backup communication channels — significantly increasing its resilience.

Widespread Impact

Researchers confirmed at least 12 compromised extensions in the OpenVSX and VS Code Marketplace repositories, including popular packages such as Codejoy, recoil, better-nunjucks, and cline-ai.

Even more concerning, the auto-update mechanism in VS Code could silently install infected extensions — exposing thousands of developers without their knowledge.

GlassWorm is considered the first known worm-capable supply chain malware to operate within the VS Code ecosystem, expanding its reach to:

• Corporate systems where developers work

• Open-source and startup projects

• Blockchain and crypto wallet infrastructures

• The entire global software supply chain

DTG CORP Security Recommendations

This is a highly severe supply chain incident that could directly impact the developer community in Vietnam.
DTG CORP’s cybersecurity experts recommend taking immediate precautions:

• Remove or review any extensions listed among known infected packages

• Temporarily disable auto-updates for extensions in VS Code

• Reset all passwords for GitHub, npm, OpenVSX, and VSCode Marketplace accounts

• Monitor system processes for unusual proxy activity, or connections to Solana and BitTorrent networks

• Download extensions only from verified, trusted sources with proper authentication

Key Takeaway

GlassWorm is a powerful reminder that even developers — the people who build and secure software — can become victims of supply chain attacks.

In the age of AI and “extension-driven” development, every plugin or convenience tool can be weaponized if security is neglected.
It’s time for both individuals and organizations to make development environment security an integral part of safe operations.

DTG CORP – Your Trusted Technology Partner in Vietnam

We work alongside the community to detect, prevent, and respond early to the growing sophistication of modern cyber threats.

(Information referenced from WhiteHat)