Glassworm Malware: Third Wave in VS Code Ecosystem

December 2, 2025 Faeem BLOGS 0

The Glassworm campaign, first spotted in October 2025, has now entered its third wave, with 24 new malicious packages uploaded to both OpenVSX and the Microsoft Visual Studio Marketplace.

Key Technical Details

  • Stealth technique: Uses invisible Unicode characters to conceal malicious code from reviewers.
  • Targets:
    • Developer accounts: GitHub, npm, OpenVSX.
    • Cryptocurrency wallets via 49 compromised extensions.
  • Capabilities:
    • Deploys a SOCKS proxy to route malicious traffic through victim machines.
    • Installs HVNC (Hidden Virtual Network Computing) client for stealthy remote access.
  • Persistence: Despite cleanup efforts, attackers re-uploaded new packages under fresh publisher accounts.
  • Scope: Packages mimic popular developer frameworks/tools like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, Vue.

Risks

  • Supply chain compromise: Developers unknowingly install malicious extensions, exposing source code repositories and credentials.
  • Account takeover: Stolen GitHub/npm credentials can lead to poisoned packages, repo hijacking, or CI/CD pipeline abuse.
  • Cryptocurrency theft: Wallet data targeted directly from developer environments.
  • Stealthy persistence: HVNC allows attackers to operate invisibly, bypassing traditional monitoring.

Defensive Measures

  • For developers:
    • Audit installed VS Code extensions; remove suspicious or recently added packages.
    • Verify publisher authenticity and extension update history.
    • Rotate credentials for GitHub, npm, and other linked accounts.
    • Enable MFA on all developer accounts.
    • Monitor for unusual proxy traffic or hidden processes.
  • For organizations:
    • Restrict extension installation to vetted sources.
    • Implement allowlists for approved VS Code extensions.
    • Monitor developer endpoints for SOCKS proxy activity and HVNC artifacts.
    • Conduct supply chain security reviews of CI/CD pipelines.

Takeaway

Glassworm demonstrates how developer ecosystems are prime targets for supply chain attacks. By hiding malicious code in extensions, attackers gain access to both developer credentials and cryptocurrency assets, while leveraging stealthy remote access tools.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.