GlassWorm: The First Self-Propagating VS Code Extension Worm

In October 2025, security researchers at Koi Security discovered GlassWorm, marking a concerning milestone in supply chain attacks: the first self-propagating worm targeting VS Code extensions on the OpenVSX and Microsoft VSCode marketplaces. With at least 35,800 confirmed compromised installations, this sophisticated attack represents an evolutionary leap in malware design that every developer should understand.

What Makes GlassWorm Different

Unlike traditional supply chain compromises, GlassWorm employs several unique techniques:

Invisible Code Injection: The malware uses invisible Unicode and Private Use Area (PUA) characters to hide malicious code that literally disappears from code editors during review. This makes detection through standard code inspection nearly impossible.

Unkillable Infrastructure: GlassWorm leverages the Solana blockchain as its command and control (C2) infrastructure. By embedding payload URLs in blockchain transaction memos, attackers created a decentralized, immutable C2 system that cannot be taken down. The malware also uses Google Calendar as a backup C2 mechanism, a legitimate infrastructure that bypasses traditional security monitoring.

True Worm Behavior: What sets GlassWorm apart is its autonomous replication. After infecting a system, it harvests NPM tokens, GitHub credentials, and OpenVSX access tokens. These stolen credentials are then automatically used to compromise additional packages and extensions, with each new victim becoming a launch point for further infections.

The Impact of GlassWorm

Infected systems face multiple threats:

• Credential theft (NPM, GitHub, Git tokens)
• Cryptocurrency wallet draining (49 different wallet types targeted)
• SOCKS proxy deployment, turning developer machines into criminal infrastructure
• Hidden VNC server installation for complete remote access via the “ZOMBI” RAT
• Network reconnaissance of internal corporate systems

Because VS Code extensions automatically update by default, users received malicious versions without any action required.

A Growing Threat Pattern

GlassWorm follows Shai Hulud, discovered just one month earlier as the first self-propagating worm in the npm ecosystem. This pattern reveals a troubling trend: attackers have figured out how to make supply chain malware that spreads autonomously through the entire software development ecosystem.

Veracode’s Proven Defense Against These Attack Vectors

Koi Security recently reported on this malicious Visual Studio extension. While GlassWorm represents a significant threat in the VS Code ecosystem, Veracode’s security research team has been tracking and defending against these techniques.

Our proven detection capabilities include:

Unicode Obfuscation: In our April 2025 analysis Down the Rabbit Hole of Unicode Obfuscation, we detailed the detection and reverse engineering of sophisticated Unicode-based JavaScript obfuscation in npm packages. We successfully analyzed 12 layers of obfuscation using invisible Japanese Katakana and Hiragana characters. This is the same fundamental technique GlassWorm employs. Our monitoring systems flagged and dissected this attack chain from invisible Unicode characters all the way down to the final payload.

Google Calendar C2 Infrastructure: In our May 2025 report Sophisticated NPM Attack Leveraging Unicode Steganography and Google Calendar C2, we documented an npm campaign that used Google Calendar short links as dynamic droppers for malware payloads that is identical to GlassWorm’s backup C2 mechanism. We identified how attackers leveraged this legitimate service to evade detection and make blocking more difficult.

While Veracode does not currently support the OpenVSX registry for Visual Studio extensions, we have tested the malicious Unicode JavaScript payload from the reported GlassWorm extension against our systems. We have confirmed that we would detect this malware if it was identified in the npm ecosystem. Our prior research demonstrates that we already possess the detection capabilities for both the Unicode obfuscation and Google Calendar C2 techniques that make GlassWorm unique.

Veracode continues to monitor the npm ecosystem for any re-emergence of the Shai Hulud worm. We have seen and blocked several copycat attempts at creating similar worms. Our continuous monitoring and deep analysis capabilities position us to identify and defend against these evolving supply chain threats before they can cause widespread damage.

Protecting Your Environment

Developers should:

• Audit installed VS Code extensions against known compromised lists
• Only install extensions from verified publishers
• Review extension updates, especially from inactive projects
• Rotate credentials (NPM tokens, GitHub tokens) immediately if using potentially affected extensions
• Monitor for unauthorized cryptocurrency wallet activity
• Consider disabling auto-updates for extensions in favor of manual review

The emergence of self-propagating supply chain worms represents a fundamental shift in the threat landscape. As development tools become increasingly interconnected, the attack surface expands and so does the potential for automated, exponential malware spread. Vigilance and robust security scanning are no longer optional. They are essential.