A new malware campaign dubbed GlassWorm is conducting a sophisticated supply-chain attack against developers through Microsoft's Visual Studio Marketplace and the open-source OpenVSX registry. According to research from Koi Security, the self-replicating malware has already infected 35,800 installations across at least 12 extensions, leveraging several unprecedented evasion techniques that make detection and mitigation exceptionally challenging.

The Invisible Threat

GlassWorm's core innovation lies in its use of invisible Unicode characters to hide malicious code within extension files. When viewed in code editors, these characters render the malicious payload literally invisible, bypassing manual code reviews.

Hidden malicious code using invisible Unicode characters (Source: Koi Security)

"The malware embeds itself using Unicode manipulation that makes malicious code disappear from code editors," explains Koi Security's report. Once installed, GlassWorm performs multiple malicious actions:

  • Steals credentials for GitHub, npm, and OpenVSX accounts
  • Harvests cryptocurrency wallet data from 49 browser extensions
  • Deploys SOCKS proxies to route traffic through victim machines
  • Installs VNC clients (HVNC) for invisible remote access

Blockchain-Powered Resilience

GlassWorm uses the Solana blockchain for command-and-control (C2) operations—a first for VS Code malware. The malware checks a hardcoded Solana wallet address where attackers embed base64-encoded URLs for next-stage payloads in transaction memos. This provides unprecedented resilience against takedowns.

Solana transaction used for payload delivery (Source: Koi Security)

Koi Security notes: "Using blockchain for payload distribution offers operational benefits including anonymity, low cost, and update flexibility." Backup mechanisms include Google Calendar event titles containing base64-encoded URLs and direct connections to IP 217.69.3[.]218. The malware also leverages BitTorrent's Distributed Hash Table (DHT) for decentralized command distribution.

Worm-Like Propagation

The final payload—dubbed ZOMBI—is described as "massively obfuscated JavaScript" that transforms infected workstations into nodes for criminal operations. Crucially, GlassWorm spreads automatically by compromising developer accounts and injecting malware into all extensions the victim maintains.

"When CodeJoy pushed version 1.8.3 with invisible malware, everyone with it installed got automatically updated. No interaction. No warning. Just silent infection," warns Koi. This auto-update mechanism enabled explosive propagation across the ecosystem.

Ongoing Impact

At publication time, four infected extensions remained active on OpenVSX, though Microsoft has removed the malicious "cline-ai-main.cline-ai-agent" from its marketplace. The known compromised extensions include:

[email protected]/1.8.4
[email protected]
[email protected]
... and 9 others

Credential-targeting function in GlassWorm (Source: Koi Security)

GlassWorm represents an escalation in supply-chain attacks following last month's "Shai-Hulud" npm campaign. Its combination of stealth techniques, blockchain resilience, and worm-like propagation creates unprecedented challenges for ecosystem security. As Koi Security warns: "C2 servers remain active, and this is one of the most sophisticated supply-chain attacks we've documented."

For developers, this attack underscores the critical need for:
1. Manual verification of extension update diffs
2. Multi-factor authentication on registry accounts
3. Blockchain transaction monitoring in security tooling

The incident reveals how modern attack surfaces now extend deep into development toolchains—where a single compromised extension can silently compromise thousands through the very mechanisms designed for convenience.

Source: Koi Security research as reported by BleepingComputer