Invisible Code, Trusted Extensions: How GlassWorm Hijacks the Developer Supply Chain

The GlassWorm malware campaign has escalated into a full-blown multi-platform supply chain threat, targeting developers through Open VSX extensions, npm packages, and GitHub repositories. What makes this wave especially dangerous is its use of transitive extension abuse, invisible Unicode injections, and remote dynamic dependencies — all designed to bypass scrutiny and exploit developer trust.

How the Attack Works

1. Open VSX Extension Abuse

• Transitive payload delivery: Benign-looking extensions are later updated to include malicious dependencies via extensionPack or extensionDependencies.
• Delayed infection: Malware is only pulled after trust is established, making detection harder.
• Targets: Linters, formatters, code runners, and AI coding tools like Clade Code and Google Antigravity.
• Malicious examples:

• angular-studio.ng-angular-extension
• gvotcha.claude-code-extension
• mswincx.antigravity-cockpit

2. Unicode Injection in GitHub and npm

• Invisible payloads: Unicode characters hide malicious code in commits that appear legitimate.
• Affected platforms: 151 GitHub repos and npm packages like @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp.
• Loader behavior: Decodes to second-stage scripts that steal tokens, credentials, and secrets.

3. Remote Dynamic Dependencies (RDD)

• Live payload control: package.json points to external URLs, allowing attackers to change behavior without publishing a new version.
• PhantomRaven controversy: Claimed as a research experiment, but red flags include excessive data collection, lack of transparency, and rotating identities.

Advanced Techniques

• Locale checks: Avoids infecting Russian systems.
• Solana dead drops: Uses blockchain transactions to fetch C2 addresses.
• Obfuscation & wallet rotation: Makes detection and attribution harder.
• AI-generated commits: Attackers use LLMs to craft realistic commit messages and code changes.

Defensive Recommendations

• Audit extensions: Review extensionPack and extensionDependencies in all installed VS Code extensions.
• Monitor GitHub commits: Watch for invisible Unicode characters and suspicious second-stage behavior.
• Avoid RDDs: Prefer packages with dependencies hosted inside trusted registries.
• Use static analysis tools: Detect obfuscated code and transitive dependencies.
• Educate developers: Train teams to recognize supply chain manipulation tactics.

Final Thought

GlassWorm isn’t just malware — it’s a supply chain infiltration strategy that weaponizes developer trust, open-source ecosystems, and invisible code. As attackers evolve from direct payloads to transitive delivery and remote control, defenders must rethink how they vet extensions, packages, and commits. The future of secure development depends on visibility, verification, and vigilance — not just automation.