Full Report
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span
Analysis Summary
# Incident Report: GlassWorm Supply Chain Worm Targeting VS Code Extensions
## Executive Summary
A sophisticated, self-propagating worm named "GlassWorm" exploited vulnerabilities in the software supply chain by infecting popular VS Code extensions hosted on both the Open VSX Registry and the Microsoft Extension Marketplace. The attack leveraged novel obfuscation techniques involving invisible Unicode characters to hide malicious code, with the primary goal of stealing developer credentials, cryptocurrency, and establishing persistent remote access mechanisms across compromised developer machines. The incident, which began spreading on October 17, 2025, highlights the increasing threat to the DevOps ecosystem.
## Incident Details
- **Discovery Date:** October 24, 2025 (Date of the report)
- **Incident Date:** First wave of infections started on October 17, 2025
- **Affected Organization:** Developers utilizing compromised VS Code extensions (13 on Open VSX, 1 on Microsoft Marketplace). Total downloads estimated at about 35,800.
- **Sector:** Technology/Software Development (DevOps)
- **Geography:** Global (Distributed via extension marketplaces)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around October 17, 2025
- **Vector:** Compromised third-party VS Code extensions uploaded to public marketplaces. The exact method of initial hijacking of the extensions is currently unknown.
- **Details:** Malicious JavaScript code was seeded into popular extensions. This code used **Unicode Variation Selectors** (invisible characters) to conceal its presence from standard code reviews or editors.
### Lateral Movement
- **Details:** The worm was designed to self-propagate. Stolen credentials (npm, Open VSX, GitHub, Git) were used to weaponize and compromise *additional* packages and extensions for further spread.
### Data Exfiltration/Impact
- **Details:** Stolen credentials were used to harvest data, drain funds from 49 different cryptocurrency wallet extensions, establish SOCKS proxy servers, and install Hidden VNC (HVNC) servers for persistent remote access. Data exfiltration occurred to an endpoint at `140.82.52[.]31:80`.
### Detection & Response
- **How it was discovered:** Detected and reported by Koi Security researchers (as of October 24, 2025 report date).
- **Response actions taken:** Not fully detailed, but the critical step involves removing the malicious extensions and notifying users, especially given the auto-update configuration of VS Code.
## Attack Methodology
- **Initial Access:** Compromised VS Code Extensions (Supply Chain Attack).
- **Persistence:** Installation of SOCKS proxy servers and Hidden VNC (HVNC) servers for remote control.
- **Privilege Escalation:** Not explicitly detailed, but credential theft facilitates broader access later.
- **Defense Evasion:** Abuse of **invisible Unicode characters** (`Variation Selectors`) to hide malicious logic from visual inspection.
- **Credential Access:** Harvesting of npm, Open VSX, GitHub, and Git credentials.
- **Discovery:** The initial payload reached out to C2 infrastructure (obtained via Solana transaction memos or Google Calendar) to download stage-2 payload (Zombi).
- **Lateral Movement:** Weaponizing stolen credentials to compromise additional packages/extensions.
- **Collection:** Stealing cryptocurrency wallet data and general account tokens.
- **Exfiltration:** Data exfiltrated to a remote endpoint (`140.82.52[.]31:80`).
- **Impact:** Financial theft (crypto draining), establishment of botnet infrastructure (SOCKS proxies), and sustained remote access (HVNC).
## Impact Assessment
- **Financial:** Draining of funds from 49 cryptocurrency wallet extensions.
- **Data Breach:** Theft of npm, Open VSX, GitHub, and Git credentials/tokens.
- **Operational:** Compromise of developer workstations, turning them into proxy conduits and remote access points. Disruption to development pipelines due to compromised packages.
- **Reputational:** Significant damage to the trust relationship within the Open VSX Registry and affiliated developer ecosystems.
## Indicators of Compromise
- **Network indicators (Defanged C2/Exfil):**
- C2 Fallback 1: `217.69.3[.]218`
- C2 Fallback 2: `199.247.10[.]166`
- Exfiltration Endpoint: `140.82.52[.]31:80`
- **File indicators:** The **Zombi module** (containing SOCKS proxy, WebRTC, DHT, and HVNC components).
- **Behavioral indicators:**
- Queries referencing Solana transactions associated with an attacker-controlled wallet (`28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2`).
- Parsing Base64 encoded strings from Solana transaction memo fields or Google Calendar events.
## Response Actions
- **Containment:** Removal of the 14 identified malicious VS Code extensions from both marketplaces. Disabling auto-update features for developer tools was likely necessary across affected groups.
- **Eradication:** Resetting all harvested credentials (npm, Git, GitHub) for all developers potentially using the affected extensions. Isolating developer machines suspected of running the Zombi payload.
- **Recovery:** Auditing CI/CD environments for further compromises enabled by stolen tokens. Restoring developer systems confirmed to have HVNC or SOCKS proxies installed.
## Lessons Learned
- The inherent risk associated with developer tools and supply chains (DevOps space) is accelerating, as proven by this and the recent Shai-Hulud incident.
- Automation bias (VS Code extensions auto-updating) can be weaponized to automatically deploy malware without user interaction.
- Attackers are developing highly novel evasion techniques, such as using invisible Unicode characters to bypass static analysis and visual code review.
- Dependency on blockchain infrastructure (Solana) for C2 makes traditional takedown procedures significantly more resilient for the attacker.
## Recommendations
- Implement strict scanning and auditing policies for all third-party extensions installed within the development environment, specifically looking for unusual post-install scripts.
- Where possible, limit or configure extension auto-update functionality, requiring manual approvals for updates to critical development tools.
- Incorporate specialized static analysis tools capable of detecting obfuscation via Unicode manipulation or hidden character sequences within source code.
- Enforce mandatory Multi-Factor Authentication (MFA) on all developer accounts (GitHub, npm, etc.) to mitigate the impact of credential theft.