A dangerous campaign known as GlassWorm continues to threaten the Visual Studio Code (VS Code) ecosystem, with cybersecurity researchers recently disclosing three additional malicious extensions designed to target users. These extensions—identified as ai-driven-dev.ai-driven-dev (with 3,402 downloads), adhamu.history-in-sublime-merge (with 4,057 downloads), and yasuyuky.transient-emacs (with 2,431 downloads)—remain available for download. The GlassWorm campaign, initially documented by Koi Security, is focused on leveraging compromised VS Code extensions found on both the Open VSX Registry and the Microsoft Extension Marketplace. Its core objective is to harvest crucial credentials for Open VSX, GitHub, and Git, along with draining funds from 49 different cryptocurrency wallet extensions, and deploying additional tools for remote access.
This malware is particularly notable for its stealth and propagation mechanism. It employs invisible Unicode characters to successfully conceal malicious code within the code editors, making it difficult to detect. Furthermore, it weaponizes the credentials it steals to compromise even more extensions, effectively establishing a self-replication loop that enables it to spread like a worm. While Open VSX responded to the initial threat by removing all identified malicious extensions and revoking associated tokens as of October 21, 2025, the problem has proven resilient. A recent report from Koi Security confirms the threat’s return, using the identical invisible Unicode character obfuscation technique to bypass security detections once again.
In a key finding, the attackers demonstrated the strength of their operational infrastructure. Security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery revealed that the attacker posted a new transaction to the Solana blockchain, which provided an updated C2 (command-and-control) endpoint for downloading the next-stage payload. This highlights the robust nature of blockchain-based C2 infrastructure; even if servers distributing the payload are shut down, the threat actor can simply post a low-cost transaction to quickly update the new location, allowing all previously infected machines to automatically retrieve the new C2 address and continue operations.
Further investigations by the security vendor led to the identification of an inadvertently exposed endpoint on the attacker’s server, which provided a partial list of victims. This list spans multiple continents, including the U.S., South America, Europe, and Asia, and disturbingly includes a major government entity located in the Middle East. Analysis of keylogger information, potentially from the attacker’s own machine, offered some insights into the threat actor’s origin. The individual is assessed to be a Russian speaker who uses an open-source browser extension C2 framework called RedExt as a component of their operational infrastructure.
The consequences of this sophisticated campaign are substantial. Koi Security stressed the impact, stating that real organizations and individuals have had their credentials harvested, their machines potentially utilized as criminal proxy infrastructure, and their internal networks subjected to compromise. This ongoing development comes closely after Aikido Security published findings indicating that the GlassWorm campaign has broadened its scope to specifically target GitHub, confirming that the stolen GitHub credentials are being actively used to push malicious commits into legitimate repositories, further expanding the scale of the compromise.
Reference:
