Hidden "Glassworm" malware spreads through infected VS Code extensions

A new malware worm campaign has infected multiple Microsoft Visual Studio Code extensions using invisible Unicode characters to hide malicious code from both reviewers and security tools, security researchers say.

The worm, named Glassworm, compromised seven extensions on the OpenVSX marketplace on October 17, reaching more than 10,700 downloads.

Researchers at Koi Security discovered the attack after their risk engine detected abnormal behaviour in the CodeJoy extension.

A worm uses self-replicating computer code that is able to propagate by copying itself.

Koi described Glassworm as one of the most advanced software supply chain attacks seen so far.

The worm uses Unicode variation selectors, which don't render visibly, to conceal malicious code within legitimate files.

Static code scanners see nothing suspicious, and human reviewers see only blank lines.

"This technique completely breaks traditional code review," Koi Security researcher Idan Dardikman said. "You can't spot what you can't see."

Even GitHub’s diff view and syntax highlighting failed to reveal any changes, leaving infected developers unaware they are distributing malware.

Glassworm communicates through the Solana blockchain, using transactions as its command and control (C2) system.

The worm reads base64-encoded data hidden inside blockchain transaction memos to locate its next payload.

Because blockchain entries cannot be altered or deleted, this structure forms what Koi called “unkillable infrastructure.”

There is no server to seize or domain to suspend, and attackers can update their commands simply by posting new transactions that are very cheap.

The malware also maintains backup channels through direct Internet Protocol addresses and Google Calendar events, Koi discovered, linking to another encrypted payload.

Calendar traffic appears legitimate and is rarely blocked, giving attackers a reliable alternative path, Dardikman explained.

The Solana-linked payload server delivers an AES-encrypted file, with decryption keys issued dynamically through HTTP headers to prevent interception.

Once decrypted, the code hunts for credentials from npm, GitHub, OpenVSX, and git, along with 49 cryptocurrency wallet extensions such as MetaMask and Phantom.

These credentials then enable automatic propagation.

Each infected developer account can publish new malicious extensions or packages, creating an expanding web of compromise.

A secondary module, named ZOMBI, converts infected workstations into proxy nodes for a criminal network.

It installs SOCKS proxies, uses WebRTC to bypass firewalls, and distributes commands over BitTorrent’s decentralised hash table.

Attackers can route traffic through trusted developer machines, gaining access to internal systems.

ZOMBI also includes hidden virtual network computing, or HVNC, allowing attackers to operate an invisible remote desktop.

It runs without visible windows or active processes, giving full access to a victim’s browser, code, and communications.

Koi said it has confirmed that Glassworm’s infrastructure remains active.

The Solana transaction still points to a live payload server, the Google Calendar link is functional (iTNews tested the link and it is still up as of writing), and an exfiltration address at 140.82.52.31 is collecting data.

Of the seven known extensions, two have been cleaned, while five continue to distribute infected versions.

Glassworm follows the Shai-Hulud worm that hit over 500 npm packages in September this year.

Koi advises developers to audit installed extensions and rotate any exposed credentials.

Compromised extensions include codejoy.codejoy-vscode-extension, l-igh-t.vscode-theme-seti-folder, kleinesfilmroellchen.serenity-dsl-syntaxhighlight, JScearcy.rust-doc-viewer, SIRILMP.dark-theme-sm, CodeInKlingon.git-worktree-menu, and ginfuru.better-nunjucks.