Threat actors tracked as GlassWorm have again compromised the Visual Studio Code ecosystem by publishing three new malicious extensions to OpenVSX, accumulating more than 10,000 downloads before removal. The incident follows tightened controls after a previous wave, underscoring persistent gaps in marketplace vetting and developer defenses.
Who is GlassWorm and why this campaign matters
Observed since October 2025, GlassWorm focuses on credential theft from developer platforms and registries—GitHub, npm, and OpenVSX—as well as cryptocurrency wallet compromise. The group’s hallmark is hiding malicious JavaScript logic using invisible Unicode characters, which evade many static checks and manual reviews. Once credentials are stolen, the malware exhibits worm-like behavior: it uses victims’ tokens and passwords to push tainted updates or new extensions to resources the victim can access, propagating through the software supply chain.
Resilient command-and-control via Solana and Google Calendar
The operation maintains command-and-control (C2) via the Solana blockchain, with a fallback channel over Google Calendar. Public, decentralized ledgers are difficult to disrupt, while C2 over mainstream cloud services blends with benign traffic, complicating detection and takedown.
Earlier wave: 12 compromised extensions and tens of thousands of downloads
In an October campaign, investigators identified 12 poisoned extensions across OpenVSX and the Visual Studio Code Marketplace, totaling approximately 35,800 downloads. While some activity may reflect inflated metrics, the scale indicates material exposure. OpenVSX responded by revoking affected publishers’ tokens and introducing additional safeguards.
Why Unicode obfuscation bypassed defenses
According to Koi Security, which has been tracking GlassWorm, the latest three malicious OpenVSX extensions reused the same Unicode-based concealment. The method inserts zero-width characters (for example, U+200B, U+200C, U+200D) and lookalike letters (confusables) so that code appears normal but behaves differently—altering string concatenation, comparisons, or identifier resolution. This aligns with risks highlighted in the “Trojan Source” research (University of Cambridge, 2021; CVE‑2021‑42574) and the Unicode Consortium’s UTS #39: Security Mechanisms, where invisible and confusable characters can subvert reviews, diffs, and signature-based detection.
Expansion to GitHub and victimology
Security firm Aikido previously warned that GlassWorm broadened its campaign to GitHub, raising the risk to teams dependent on internal and open-source extensions and packages. Koi Security reports that, after obtaining access to an attacker-controlled server via an anonymous tip, evidence indicated victims in the United States, South America, Europe, and Asia, with documented intrusions into government entities in the Middle East. Operators are described as Russian-speaking and using the open-source framework RedExt. Collected artifacts, including exchange and messenger identifiers, were shared with law enforcement, and coordinated victim notifications are underway.
Risk analysis and practical mitigation
The campaign highlights systemic blind spots: marketplace review pipelines rarely normalize or forbid confusables, many linters ignore zero-width characters, and build chains do not consistently enforce safe Unicode handling. Effective countermeasures revolve around prevention, detection, and response across the marketplace, CI/CD, and endpoint layers.
Marketplace and registry controls
OpenVSX and VS Code Marketplace should strengthen publisher verification, enforce hardware-backed 2FA for sensitive actions, expand static analysis to flag zero-width and confusable characters, apply reputation signals to auto-quarantine suspicious updates, and perform retroactive scans of installed packages with forced user notifications when trust is revoked.
Enterprise and developer safeguards
Engineering teams should adopt an allowlist of extensions, restrict installations from unofficial sources, audit existing VS Code add-ons, and monitor for anomalous egress—including traffic to Solana RPC endpoints and atypical Google Calendar API activity. Regularly rotate GitHub/npm/OpenVSX tokens, store secrets in dedicated managers, and automate revocation of suspected credentials. In the toolchain, enable “show invisible characters” in the IDE, add pre-commit hooks and linters to detect U+200B/U+200C/U+200D and confusables, and normalize source code per Unicode security guidance.
GlassWorm’s latest wave underscores the fragility of extension-centric supply chains. Organizations should inventory their IDE extensions, pin trusted sources, harden Unicode handling, and instrument monitoring for blockchain- and cloud-based C2 patterns. Timely token rotation, extension hygiene, and marketplace due diligence reduce the likelihood of lateral movement and repository compromise.
