The malicious GlassWorm malware family, designed to compromise Visual Studio Code (VS Code) development environments, has resurfaced in official extension repositories. After two previous incidents, the operators have launched a third wave, uploading a total of 24 new malicious packages to the Microsoft Visual Studio Marketplace and the OpenVSX registry.
GlassWorm malware: evolving threat to Visual Studio Code and DevOps pipelines
GlassWorm was first identified in October 2025 as a specialized threat targeting developer workstations and CI/CD tooling. The malware is capable of stealing GitHub, npm, and OpenVSX credentials, cryptocurrency wallet data, and sensitive information handled by dozens of popular VS Code extensions. By compromising developer accounts, attackers gain a highly privileged foothold into software delivery pipelines.
A distinctive feature of GlassWorm is its use of invisible Unicode characters to hide malicious JavaScript code. These zero-width or non-printable characters are not visibly rendered in the editor, but they allow attackers to embed and obfuscate executable logic inside otherwise legitimate-looking source files and extension scripts, complicating manual review and static analysis.
Beyond credential theft, GlassWorm behaves as a network worm in the development ecosystem. Using stolen accounts, it can upload, modify, or backdoor extensions that the victim maintains or can access, effectively chaining infections across projects and organizations. This turns a local compromise into a broader software supply chain attack, where malicious code is propagated through trusted distribution channels.
Solana blockchain and Google Calendar as resilient C2 channels
Researchers have documented an unusual command-and-control (C2) architecture for GlassWorm. The operators leverage the Solana blockchain as a decentralized C2 channel, embedding encrypted instructions in transaction fields. Because public blockchains are designed to be tamper-resistant and hard to censor, this approach complicates takedown efforts and traditional blacklisting of C2 servers.
As a fallback communication channel, GlassWorm also abuses Google Calendar. Using legitimate cloud services for C2 is a common tactic in modern malware: traffic to popular platforms blends into normal web activity and is less likely to be blocked by perimeter security tools that rely on domain reputation or simple allowlists.
Second and third GlassWorm waves in VS Code Marketplace and OpenVSX
During the second documented campaign in November, GlassWorm operators again infiltrated OpenVSX with three new VS Code extensions. Despite tightened checks after the initial incident, these malicious packages were downloaded more than 10,000 times, underscoring how attractive and effective extension ecosystems are as attack surfaces.
The third wave, analyzed by Secure Annex, shows a clear attempt to maximize reach among web and application developers. New packages masquerade as extensions for Flutter, Vim, YAML, Tailwind CSS, Svelte, React Native, and Vue – technologies widely used by frontend and mobile engineers, which increases the chance of drive-by installation during routine tool setup.
Malicious Visual Studio Code Marketplace extensions linked to GlassWorm
The following extensions were identified in the official VS Code Marketplace (some have since been removed):
- iconkieftwo.icon-theme-materiall (removed 1 December 2025)
- prisma-inc.prisma-studio-assistance (removed 1 December 2025)
- prettier-vsc.vsce-prettier
- flutcode.flutter-extension
- csvmech.csvrainbow
- codevsce.codelddb-vscode
- saoudrizvsce.claude-devsce
- clangdcode.clangd-vsce
- cweijamysq.sync-settings-vscode
- bphpburnsus.iconesvscode
- klustfix.kluster-code-verify
- vims-vsce.vscode-vim
- yamlcode.yaml-vscode-extension
- solblanco.svetle-vsce
- vsceue.volar-vscode
- redmat.vscode-quarkus-pro
- msjsdreact.react-native-vsce
Malicious OpenVSX extensions used in the GlassWorm campaign
The following OpenVSX packages were observed, including one overlapping with the Marketplace list:
- bphpburn.icons-vscode
- tailwind-nuxt.tailwindcss-for-react
- flutcode.flutter-extension
- yamlcode.yaml-vscode-extension
- saoudrizvsce.claude-dev
- saoudrizvsce.claude-devsce
- vitalik.solidity
Attack tactics: clean initial releases, malicious updates, and fake popularity
Analysis shows that these extensions are initially published without any malicious payload. This allows them to pass automated and manual moderation, building an installation base and user trust. Only after achieving a critical mass of users do operators push an update that introduces the GlassWorm implant, turning a previously benign extension into a Trojan horse.
To boost visibility and search ranking, the attackers artificially inflate download counts. High installation numbers and rapid growth improve the placement of these extensions in search results on the VS Code Marketplace and OpenVSX, positioning them alongside the legitimate tools they impersonate. Industry reports on package repositories have been warning for years that such supply chain attacks via public registries are growing steadily in frequency and impact.
Technical evolution: Rust-based implant and Unicode-hiding techniques
The latest GlassWorm campaign highlights the technical evolution of the malware. New variants embed an implant written in Rust inside the extensions. Rust’s focus on performance and memory safety also benefits malware authors: Rust binaries can be harder to reverse engineer, and less predictable for traditional signature-based detection engines.
At the same time, the technique of using invisible Unicode characters remains in use to further obfuscate JavaScript components in VS Code extensions. This combination of native Rust payloads and stealthy script-level obfuscation increases the difficulty of static analysis, code review, and automated scanning.
Platform response and practical security recommendations for developers
When questioned about GlassWorm’s repeated ability to bypass marketplace defenses, OpenVSX declined to comment. Microsoft stated that it is continuously improving its scanning and abuse-detection systems and urges users to report suspicious extensions via the “Report Abuse” link available on every extension page.
Given the persistence of the GlassWorm malware, organizations should treat IDEs and extensions as part of their critical attack surface. Practical measures include restricting extension installation to vetted publishers, regularly auditing installed extensions, tracking security advisories related to developer tools, enforcing multi-factor authentication on GitHub and other developer platforms, and isolating development environments from secret stores and cryptocurrency wallets wherever possible. Recognizing that even the official Visual Studio Code Marketplace and OpenVSX are not inherently trustworthy is a key step toward building more resilient software supply chains.
