{“lastseen”:”2025-10-24T07:02:28″,”description”:”\\n\\nCybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.\\n\\nThe sophisticated threat, codenamed **GlassWorm** by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025.\\n\\nWhat makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism.\\n\\nAnother novel aspect is that the GlassWorm campaign relies on \\”invisible Unicode characters that make malicious code literally disappear from code editors,\\” Idan Dardikman said in a technical report. \\”The attacker used Unicode variation selectors \u2013 special characters that are part of the Unicode specification but don’t produce any visual output.\\”\\n\\nThe end goal of the attack is to harvest npm, Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, deploy SOCKS proxy servers to turn developer machines into conduits for criminal activities, install hidden VNC (HVNC) servers for remote access, and weaponize the stolen credentials to compromise additional packages and extensions for further propagation.\\n\\n\\n\\nThe names of the infected extensions, 13 of them on Open VSX and one on the Microsoft Extension Marketplace, are listed below. These extensions have been downloaded about 35,800 times. The first wave of infections took place on October 17, 2025. It’s currently not known how these extensions were hijacked.\\n\\n * codejoy.codejoy-vscode-extension 1.8.3 and 1.8.4\\n * l-igh-t.vscode-theme-seti-folder 1.2.3\\n * kleinesfilmroellchen.serenity-dsl-syntaxhighlight 0.3.2\\n * JScearcy.rust-doc-viewer 4.2.1\\n * SIRILMP.dark-theme-sm 3.11.4\\n * CodeInKlingon.git-worktree-menu 1.0.9 and 1.0.91\\n * ginfuru.better-nunjucks 0.3.2\\n * ellacrity.recoil 0.7.4\\n * grrrck.positron-plus-1-e 0.0.71\\n * jeronimoekerdt.color-picker-universal 2.8.91\\n * srcery-colors.srcery-colors 0.3.9\\n * sissel.shopify-liquid 4.0.1\\n * TretinV3.forts-api-extention 0.3.1\\n * cline-ai-main.cline-ai-agent 3.1.3 (Microsoft Extension Marketplace)\\n\\n\\n\\nThe malicious code concealed within the extensions is designed to search for transactions associated with an attacker-controlled wallet on the Solana blockchain, and if found, it proceeds to extract a Base64-encoded string from the memo field that decodes to the C2 server (\\”217.69.3[.]218\\” or \\”199.247.10[.]166\\”) used for retrieving the next-stage payload.\\n\\nThe payload is an information stealer that captures credentials, authentication tokens, and cryptocurrency wallet data, and reaches out to a Google Calendar event to parse another Base64-encoded string and contact the same server to obtain a payload codenamed Zombi. The data is exfiltrated to a remote endpoint (\\”140.82.52[.]31:80\\”) managed by the threat actor.\\n\\n\\n\\nWritten in JavaScript, the Zombi module essentially turns a GlassWorm infection into a full-fledged compromise by dropping a SOCKS proxy, WebRTC modules for peer-to-peer communication, BitTorrent’s Distributed Hash Table (DHT) for decentralized command distribution, and HVNC for remote control.\\n\\nThe problem is compounded by the fact that VS Code extensions are configured to auto-update, allowing the threat actors to push the malicious code automatically without requiring any user interaction.\\n\\n\\”This isn’t a one-off supply chain attack,\\” Dardikman said. \\”It’s a worm designed to spread through the developer ecosystem like wildfire.\\”\\n\\n\\”Attackers have figured out how to make supply chain malware self-sustaining. They’re not just compromising individual packages anymore \u2013 they’re building worms that can spread autonomously through the entire software development ecosystem.\\”\\n\\nThe development comes as the use of blockchain for staging malicious payloads has witnessed a surge due to its pseudonymity and flexibility, with even threat actors from North Korea leveraging the technique to orchestrate their espionage and financially motivated campaigns.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-10-24T07:00:00″,”modified”:”2025-10-24T07:00:00″,”type”:”thn”,”title”:”Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack”,”source”:””,”references”:””,”id”:”THN:3B9CC2E9C3745791BDAAE201DE6C8EFC”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/10\/self-spreading-glassworm-infects-vs.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-24T07:02:28″,”description”:”\\n\\nCybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-23152","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n