What happened
Security researchers reported a new wave of malicious Visual Studio Code extensions linked to the GlassGutter and GlassWorm malware campaigns. This is the third round of harmful packages uploaded to the Visual Studio Code Marketplace. The extensions posed as useful tools but deployed malware that can collect system data, run commands, and connect to attacker controlled servers. Microsoft removed the infected packages after the report.
Who is affected
Developers who installed the malicious VS Code extensions are at risk. Organizations that allow developers to install extensions without review face exposure. Any environment that relies on VS Code for daily development work may be affected if these packages were downloaded before removal.
Why CISOs should care
This attack shows how trusted ecosystems can become vectors for supply chain compromise. Developer tools are a high value target because they sit close to source code and CI workflows. Even small malicious extensions can open a path to credential theft, source code exposure, or broader lateral movement. CISOs need to treat extension marketplaces with the same scrutiny as any third party software source.
3 practical actions
-
Audit all developer machines for the removed VS Code extensions and remove any suspicious packages.
-
Enforce policies that restrict extension installation to a vetted list and route new requests through security review.
-
Add monitoring for anomalous activity tied to developer tools, such as unexpected outbound connections or command execution from IDE plugins.