Recently, security experts issued urgent warnings about a new, highly advanced supply chain attack that’s spreading fast. This attack involves a malware worm called GlassWorm, which is targeting extensions in the Visual Studio Code marketplace. Researchers from Koi Security in Israel discovered that several extensions in the OpenVSX and Microsoft VS Code marketplaces have been compromised.

This isn’t your typical malware attack. The attackers have used clever tricks to hide their malicious code. They embed it using Unicode variation selectors—special characters that look like blank space or whitespace but are actually executable. This makes the malware hard to detect with standard security tools or during code reviews. To a JavaScript interpreter, though, it’s very much alive and running.

The impact of this worm is serious. Once installed, it can steal credentials from NPM, GitHub, and Git, which are common developer tools. It can drain funds from cryptocurrency wallets, set up hidden proxy servers on developers’ machines, and install remote access servers that give hackers backdoor access. The malware can also use stolen credentials to infect more packages and extensions, spreading further through the developer community.

Over 35,000 downloads of seven compromised extensions in OpenVSX alone indicate how quickly this malware can spread. An additional infected extension was found in the VS Code marketplace over the weekend. The malware’s command and control infrastructure leverages the Solana blockchain and even Google Calendar events to stay hidden and maintained. It can turn infected developer computers into SOCKS proxy servers, which can be used to access company networks, exfiltrate data, or launch further attacks.

Because extensions in Visual Studio Code inherit full permissions, once installed, they can perform almost any malicious action. That’s why CISOs are being told to treat this as an immediate security incident if their teams use VS Code. Organizations should quickly inventory which applications and extensions are in use, especially those that might have been compromised. Monitoring for unusual activity—like strange outgoing connections, unexpected remote access servers, or long-lived proxies—is also crucial.

In addition to investigation, organizations should take preventive steps. Disabling automatic updates for extensions can prevent new malware from installing without warning. Blocking access to untrusted marketplaces like OpenVSX and other unknown sources is recommended. Developers should log out of their tools, reboot their machines, and rotate any credentials that might have been leaked. These steps help contain the threat and limit further damage.

Experts also emphasize the importance of educating developers about these risks. Developers often install extensions without realizing they could give hackers full access to their work environment. Security teams should work closely with developers to ensure proper safety measures are in place. Limiting the use of unnecessary extensions and keeping a close eye on unusual activity can make a big difference.

This attack highlights a broader trend: threat actors are increasingly targeting developer tools and code marketplaces to insert malicious code. Other recent incidents have involved similar tactics, including abuse of Unicode characters to hide malware. These supply chain attacks can have far-reaching effects, as malicious code can spread into organizational environments and steal sensitive data or credentials.

The use of blockchain, especially the Solana network, in controlling malware like GlassWorm shows how attackers are mixing new tech with old malware tactics. They’re creating complex, resilient infrastructures to maintain control and evade detection. Researchers warn that these hybrid attacks are becoming more common and require a coordinated response from security teams, marketplace operators, and threat intelligence groups.

For security leaders, the key takeaway is to reduce the attack surface. Only install the tools and features that are actually needed. Unused extensions and dependencies should be removed regularly. Continuous monitoring of developer workstations for suspicious activity is essential, especially for those with privileged access. Implementing strict access controls and fast, structured change management processes can also help prevent or quickly contain such threats.

Finally, ongoing training for developers on secure coding and supply chain security is vital. Educated developers are less likely to unwittingly install malicious extensions or fall victim to these sophisticated attacks. As the landscape evolves, collaboration among security, development, and blockchain monitoring teams will be crucial to stay ahead of these emerging threats.

Inspired by

• https://www.infoworld.com/article/4076668/self-propagating-worm-found-in-marketplaces-for-visual-studio-code-extensions.html

Sources

• gmpg.org
• upguard.com
• koi.ai
• shehackspurple.ca
• csoonline.com