Nov 10, 2025Ravie LakshmananMalware / Menace Intelligence
Cybersecurity researchers have disclosed a brand new set of three extensions related to the GlassWorm marketing campaign, indicating continued makes an attempt on a part of menace actors to focus on the Visible Studio Code (VS Code) ecosystem.
The extensions in query, that are nonetheless accessible for obtain, are listed beneath –
GlassWorm, first documented by Koi Safety late final month, refers to a marketing campaign wherein menace actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Market to reap Open VSX, GitHub, and Git credentials, drain funds from 49 totally different cryptocurrency pockets extensions, and drop extra instruments for distant entry.
What makes the malware notable is that it makes use of invisible Unicode characters to cover malicious code in code editors and abuses the pilfered credentials to compromise extra extensions and additional lengthen its attain, successfully making a self-replication cycle that enables it to unfold in a worm-like style.
In response to the findings, Open VSX mentioned it recognized and eliminated all malicious extensions, along with rotating or revoking related tokens as of October 21, 2025. Nonetheless, the most recent report from Koi Safety reveals that the menace has resurfaced a second time, utilizing the identical invisible Unicode character obfuscation trick to bypass detection.
“The attacker has posted a contemporary transaction to the Solana blockchain, offering an up to date C2 [command-and-control] endpoint for downloading the next-stage payload,” safety researchers Idan Dardikman, Yuval Ronen, and Lotan Sery mentioned.
“This demonstrates the resilience of blockchain-based C2 infrastructure – even when payload servers are taken down, the attacker can publish a brand new transaction for a fraction of a cent, and all contaminated machines routinely fetch the brand new location.”
The safety vendor additionally revealed it recognized an endpoint that is mentioned to have been inadvertently uncovered on the attacker’s server, uncovering a partial record of victims spanning the U.S., South America, Europe, and Asia. This features a main authorities entity from the Center East.
Additional evaluation has uncovered keylogger data supposedly from the attacker’s personal machine, which has yielded some clues as to GlassWorm’s provenance. The menace actor is assessed to be Russian-speaking and is claimed to make use of an open-source browser extension C2 framework named RedExt as a part of their infrastructure.
“These are actual organizations and actual folks whose credentials have been harvested, whose machines could also be serving as prison proxy infrastructure, whose inner networks could already be compromised,” Koi Safety mentioned.
The event comes shortly after Aikido Safety printed findings exhibiting that GlassWorm has expanded its focus to focus on GitHub, indicating the stolen GitHub credentials are getting used to push malicious commits to repositories.
