A new malware campaign named GlassWorm has been uncovered, targeting developers who use Visual Studio Code extensions through the OpenVSX marketplace. The threat, identified by Koi Security, spreads automatically across developer environments by hijacking trusted extensions and using stolen credentials to infect others.
This worm hides inside everyday development tools, not in end-user software. Instead of attacking applications directly, it works by taking over the extensions that developers depend on.
Once active, the malware steals credentials from NPM, GitHub, and Git, drains funds from 49 different cryptocurrency wallets, and deploys hidden VNC and SOCKS proxies to maintain access and control.
Researchers found that GlassWorm hides its malicious payload using invisible Unicode variation selectors, which make the harmful code practically invisible to human reviewers and even many automated security scanners. This trick lets the malware pass regular code reviews without raising suspicion, giving attackers more time to spread it to other extensions.
Its command-and-control operations are also highly unconventional. Instead of using a standard remote server, GlassWorm communicates through the Solana blockchain, making it difficult to track or shut down. If Solana stops working, the attackers can use Google Calendar as an alternate command channel, giving them another way to keep control.
Koi Security reported that over 35,800 installations have already been affected, and at least ten compromised extensions remain active on the OpenVSX marketplace as of this week. The investigation continues as teams work to identify and remove all infected components.
Dale Hoak, Chief Information Security Officer at RegScale, said the incident highlights deeper compliance challenges across the open-source ecosystem. “Software supply chain attacks no longer target only the end product; they exploit the very tools and dependencies developers trust most,” he explained. Hoak emphasised that organisations must move toward continuous monitoring and automation across their build pipelines to detect unauthorised changes in real time.
He added that compliance cannot be treated as a one-time checkbox exercise. “Controls governing software supply chain integrity should be built into CI/CD pipelines, with continuous validation and provenance tracking as standard practice,” Hoak said. “When threats like GlassWorm appear, teams should already have evidence of ongoing compliance and the ability to respond immediately.”
GlassWorm’s spread through OpenVSX shows developers have become a prime target for attackers. Therefore, they must verify every extension, audit dependencies regularly, and watch for unusual network or credential activity.
