A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX and VSCode marketplaces.

But GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node.

This is one of the most sophisticated supply chain attacks we've ever analyzed. And it's spreading right now.

Read the technical breakdown blog post here.

‍

Subscribe for live updates

hubspot-form

‍

‍

What GlassWorm does to infected systems:

• Harvests NPM, GitHub, and Git credentials for supply chain propagation
• Targets 49 different cryptocurrency wallet extensions to drain funds
• Deploys SOCKS proxy servers, turning developer machines into criminal infrastructure
• Installs hidden VNC servers for complete remote access
• Uses stolen credentials to compromise additional packages and extensions, spreading the worm further

The attack went live yesterday. The infrastructure is active. The worm is spreading.

The Worm Spreads: Self-Propagation Through Stolen Credentials

Here's where GlassWorm earns the "Worm" part of its name.

Remember all those credentials it's stealing? NPM tokens, GitHub credentials, OpenVSX access? Those aren't just for data theft. They're for propagation.

The self-replication cycle:

1. Initial infection - Compromised developer account pushes malicious code to legitimate extension
2. Invisible payload - Unicode-hidden malware executes on victim machines
3. Credential harvest - Steals NPM, GitHub, OpenVSX, Git credentials
4. Automated spread - Uses stolen credentials to compromise MORE packages and extensions
5. Exponential growth - Each new victim becomes an infection vector
6. Repeat - The cycle continues automatically

This isn't a one-off supply chain attack. It's a worm designed to spread through the developer ecosystem like wildfire.

Just one month ago, the security community witnessed Shai Hulud - the first successful self-propagating worm in the npm ecosystem. That campaign compromised over 100 packages by stealing npm tokens and automatically publishing malicious versions.

GlassWorm brings this same technique to OpenVSX, but with terrifying evolutions:

• Invisible code injection that bypasses all code review
• Blockchain-based C2 that can't be taken down
• Full RAT capabilities turning victims into criminal infrastructure
• Multi-layered redundancy across three different C2 mechanisms

The pattern is clear. Attackers have figured out how to make supply chain malware self-sustaining. They're not just compromising individual packages anymore - they're building worms that can spread autonomously through the entire software development ecosystem.

With traditional supply chain attacks, you compromise one package and that's your blast radius. With worms like Shai Hulud and GlassWorm, each infection is a new launching point for dozens more. It's exponential growth. And we're just starting to see what that looks like.

Active Impact RIGHT NOW

What's happening right now to infected systems:

1. Credential theft in progress - NPM tokens, GitHub credentials, Git credentials being harvested
2. Cryptocurrency wallets being drained - 49 different wallet extensions targeted
3. SOCKS proxies deploying - Turning developer workstations into criminal infrastructure
4. HVNC installation - Hidden remote access being established
5. Network reconnaissance - Infected machines mapping internal corporate networks
6. Preparation for spread - Stolen credentials being validated for additional compromises

The C2 infrastructure is fully operational:

• 217.69.3.218 - Responding and serving encrypted payloads
• Solana blockchain - Transaction active, pointing to payload servers
• Google Calendar event - Live and accessible
• Exfiltration server (140.82.52.31) - Collecting stolen data

This is an active, ongoing compromise. Not a case study. Not a war story. This is happening right now, as you read this sentence.

If you have any of the infected extensions installed, you're compromised. Your credentials are likely stolen. Your crypto wallets may be drained. Your machine might already be serving as a SOCKS proxy for criminal activity. And you probably have no idea any of this is happening.

Read the technical breakdown blog post here.

‍

IOCs (Updating in real time)

Compromised Extensions

OpenVSX Extensions (with malicious versions):

• codejoy.codejoy-vscode-extension@1.8.3
• codejoy.codejoy-vscode-extension@1.8.4
• l-igh-t.vscode-theme-seti-folder@1.2.3
• kleinesfilmroellchen.serenity-dsl-syntaxhighlight@0.3.2
• JScearcy.rust-doc-viewer@4.2.1
• SIRILMP.dark-theme-sm@3.11.4
• CodeInKlingon.git-worktree-menu@1.0.9
• CodeInKlingon/git-worktree-menu@1.0.91
• ginfuru.better-nunjucks@0.3.2
• ellacrity.recoil@0.7.4
• grrrck.positron-plus-1-e@0.0.71
• jeronimoekerdt.color-picker-universal@2.8.91
• srcery-colors.srcery-colors@0.3.9

‍Microsoft VSCode Extensions:

• cline-ai-main.cline-ai-agent@3.1.3

Infrastructure

Command & Control:

• 217.69.3.218 (primary C2 server)
• 140.82.52.31:80/wall (exfiltration endpoint)

Blockchain Infrastructure:

Solana Wallet: 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2

Transaction: 49CDiVWZpuSW1b2HpzweMgePNg15dckgmqrrmpihYXJMYRsZvumVtFsDim1keESPCrKcW2CzYjN3nSQDGG14KKFM

Google Calendar C2:

https://calendar.app.google/M2ZCvM8ULL56PD1d6

Organizer: uhjdclolkdn@gmail.com

Payload URLs:

http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D

http://217.69.3.218/get_arhive_npm/

http://217.69.3.218/get_zombi_payload/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D

Registry Indicators

Persistence Mechanisms:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run