Just a few weeks after being declared eradicated, the malware known as GlassWorm has made a surprising comeback. It’s now targeting open source tools used by developers, especially within Visual Studio Code extensions. This worm is sneaky, hiding in plain sight using invisible Unicode characters and leveraging blockchain-based command-and-control (C2) servers to stay active.

How the Malware Works and Its Recent Resurgence

GlassWorm first appeared in October, employing special Unicode characters that look like blank spaces to hide malicious code inside extensions. When developers open their code editors, these invisible scripts execute without detection. Researchers from Koi discovered that the worm has returned, with new infections and three more compromised extensions. These extensions have been downloaded thousands of times, making the threat even more widespread.

What makes this malware especially tricky is how it hides in code commits on GitHub. The attackers insert malicious, invisible code into commits that seem like normal updates. They also steal GitHub credentials and push malicious changes to other repositories. The malware’s ability to stay hidden and spread quickly has caused concern across the developer community worldwide, including in the US, Europe, Asia, South America, and even a major government in the Middle East.

The Resilience of Blockchain and Supply Chain Risks

To keep their malicious payloads active, the attackers use the Solana blockchain to post new commands for their C2 servers. Even if one server is shut down, they can post a new transaction for next to nothing, and infected machines will automatically fetch the updated instructions. This shows how blockchain infrastructure makes removing malware much harder, since the attacker can quickly re-establish control over infected systems.

Security experts are worried because this isn’t just about individual extensions anymore. The malware is part of a larger supply chain attack, which infects the entire development ecosystem. The attackers have left exposed points in their infrastructure, including a keylogger that reveals their user IDs on messaging platforms and cryptocurrency exchanges. Law enforcement agencies have been notified, and victims are being informed, but the threat continues to evolve.

The Challenges of Securing Open Source Ecosystems

This incident highlights a bigger problem with open source platforms like OpenVSX. They often rely heavily on automated tools and publisher agreements to vet code, but lack the manual review process needed to catch clever hacks. Experts like David Shipley from Beauceron Security point out that the low-cost, free nature of open source means fewer resources are dedicated to security. When there’s no incentive for thorough reviews, malicious code can slip through easily.

Security teams are advised to question whether open source repositories can be trusted without additional safeguards. If manual reviews aren’t feasible, it might be safer to source code from curated, more strictly reviewed sources. The broader issue is that the software supply chain has become a major attack vector. Attackers are now targeting the entire ecosystem—toolchains, marketplaces, and developer infrastructure—making it essential for organizations to treat their developer environments like production environments.

Organizations should monitor for suspicious activities, such as hidden Unicode characters in extensions, unusual outbound network traffic, or compromised developer credentials. Disabling auto-updates, maintaining an inventory of installed extensions, and enforcing strict controls over third-party components can help reduce risks. Security teams need to apply the same level of scrutiny to developer toolchains as they do to critical production systems.

Ultimately, experts warn that these aren’t typical supply chain attacks. They’re designed to persist over time, with attackers using sophisticated methods to evade detection and maintain control. The ongoing threat underscores the importance of vigilance, proactive monitoring, and strengthening security practices across the entire development process.

As the developer ecosystem continues to grow and integrate with blockchain and other emerging technologies, the need for robust security measures becomes even more critical. The GlassWorm case serves as a reminder that attackers will keep evolving their tactics, and defenders must stay one step ahead to protect critical infrastructure and open source communities alike.

Inspired by

• https://www.infoworld.com/article/4087674/how-glassworm-wormed-its-way-back-into-developers-code-and-what-it-says-about-open-source-security.html

Sources

• gmpg.org
• open-vsx.org
• koi.ai
• csoonline.com
• koi.ai