Malware GlassWorm attacks application marketplaces on OpenVSX and VS Code
Recently, security researchers at Koi Security announced the emergence of a new type of malware targeting extensions used in the VS Code application and the OpenVSX marketplace. Preliminary reports indicate that this malware can collect Git, GitHub, and NPM login information; deploy a SOCKS proxy server, turning the compromised system into infrastructure for hackers; install a hidden VNC server to provide remote access; and use stolen credentials to compromise over 49 extensions, attack cryptocurrency wallets, and expand its spread.
Detailed Information
One month after Shai Hulud became the first self-spreading worm in the NPM ecosystem, security researchers at Koi Security discovered the first worm targeting VS Code extensions on the OpenVSX marketplace.
Tracked under the name GlassWorm, experts consider this not just a typical supply chain attack malware, but one that uses previously unrecorded stealth techniques. This malware uses "invisible Unicode characters," allowing it to completely disappear from code editors, and combines with a blockchain-based C2 infrastructure, making it impossible to eliminate. Additionally, GlassWorm exploits Google Calendar as a backup C2 server, turning this application into a remote access trojan, enabling it to control infected systems as proxy nodes for a criminal network.
As of now, 07 extensions on OpenVSX have been compromised by GlassWorm, with over 35,800 total downloads. Koi Security's statistics also indicate that some VS Code extensions have been infiltrated and spread by this malware, with the attacker's C2 servers still active, responding, and issuing theft commands to infected devices.
Attack Chain
Below are details about the stages of GlassWorm's infection and expansion, classified and compiled by security experts at Koi Security:
- Stage 1: Injecting malware using "invisible" characters
In the above case, the attacker injected invisible malicious code into the source code of extensions on CodeJoy. These are actually special characters from the Unicode standard that are not displayed to the user, making them easy to trick users as they appear like normal blank lines or spaces.
More dangerously, the use of these invisible Unicode characters makes static analysis tools and malware scans unable to detect the malware. Even GitHub's diff display mode or syntax highlighting features in IDEs do not show any abnormalities, which is contrary to the usual rule where hackers tend to hide malicious code by obfuscating or hiding it in minified files.
- Stage 2: Connecting to an indestructible C2 server
The attacker does not use a regular server but leverages the Solana blockchain to send control commands. They insert the malware download link into the transaction notes of the cryptocurrency—similar to writing a public comment. The malware on the victim's machine reads these notes and knows where to download the next stage.
Because transactions on the blockchain cannot be edited or deleted, any commands posted there will exist forever. Moreover, crypto wallets only have pseudonyms (making it hard to trace real people), the cost of posting commands is very low, and connections to the blockchain look completely normal—making them very difficult to detect and block. If security measures detect unusual connections and block the URL for downloading the payload, the attacker can easily switch to a new session with a different URL, and everything goes back to normal, with infected systems automatically under the attacker's control.
- Stage 3: Stealing victim's information
From the C2 server address mentioned above, the malware downloads a large encrypted data package onto the victim's machine. Additionally, the decryption key for the data is cleverly embedded in the HTTP header that the C2 server sends back to the infected machine. Once decrypted, the data starts "hunting" for information: NPM authentication tokens to publish malicious packages, GitHub tokens to take over code repositories, OpenVSX/Git login information to insert malicious code, and data from 49 cryptocurrency wallet extensions (such as MetaMask, Phantom...).
If the C2 server is blocked, GlassWorm deploys its backup plan: using Google Calendar to command the infected machine by exploiting public events on the app, injecting code with encrypted links, and easily sending new commands by editing the event headers.
- Stage 4: ZOMBI
The final stage of GlassWorm — the ZOMBI module — is an extremely sophisticated JavaScript payload that turns every infected developer workstation into a node in the criminal infrastructure network.
The malware installs a SOCKS proxy (using the victim's IP as a relay point), uses WebRTC to establish peer-to-peer connections to bypass firewalls, and BitTorrent DHT to distribute commands in a decentralized manner, making it nearly impossible to disable. It also deploys HVNC (Hidden VNC) — hidden desktop access for attackers to quietly use the browser, read emails, view source code, and gather more login information.
The result is that infected machines become access points to internal networks, data leakage channels, and nodes in a global proxy/botnet network. ZOMBI restarts itself when interfered with and can be updated remotely, making it very difficult to shut down — and it all starts with an invisible Unicode character in an extension.
Recommendations & Remediation
The GlassWorm distribution and infection campaign is estimated to have about 35,800 victims, with 07 OpenVSX extensions compromised and several VS Code extensions also targeted. To counter the attack from this malware, organizations and users need to implement comprehensive and immediate security measures. Below are some important recommendations to minimize the risk of infection and protect systems:
Update and check extensions: Immediately remove and block any suspected infected extensions; temporarily disable automatic extension updates in production environments. Additionally, limit write/publish permissions from dev accounts, apply the least-privilege principle for tokens and CI/CD; review extensions before deploying them in the environment.
Check and change passwords: Revoke and change any tokens/passwords suspected of being leaked (NPM, GitHub, OpenVSX, Git) and enable multi-factor authentication (MFA).
Monitor and secure systems: Scan and isolate systems using EDR/antivirus; look for signs of SOCKS proxy, HVNC, connections to strange IPs/hosts (e.g., 217.69.3[.]218). Monitor logs, control incoming/outgoing network traffic, unusual blockchain transactions, and related Google Calendar events; have an incident response plan to quickly isolate and restore from clean backups if necessary.
Train and raise security awareness: Conduct staff training on the dangers of supply chain attacks and the importance of thoroughly checking extensions, especially third-party source code. Additionally, developers should always be vigilant for invisible characters or non-visible code snippets during source code reviews.
GlassWorm is an extremely sophisticated and dangerous malware, using multiple mechanisms to spread and attack, from stealthily infiltrating source code to using blockchain and legitimate services like Google Calendar to maintain and develop its attack infrastructure. Implementing strong security measures, continuous monitoring, and security awareness training are crucial factors to prevent and mitigate damage from this type of malware.
