Malware Resurgence: “GlassWorm” Returns with New VS Code Extensions

What happened

The malware campaign known as GlassWorm, which previously infiltrated the Visual Studio Code and Open VSX marketplaces, has resurfaced via three newly published extensions on Open VSX. Bill Toulas of Bleeping Computer reported that the malware’s infrastructure has been revived with updated command-and-control endpoints and remains active in the marketplace.

The three offending extensions carry the same obfuscation technique (the use of invisible Unicode characters) to hide malicious JavaScript payloads.

The campaign previously accounted for thousands of downloads, and this sequel reports active downloads of 3,400, 4,000, and 2,400 for the respective extensions.

Who is affected

Any organisation or developer using Open VSX or Visual Studio Code extensions is at risk. The malware is designed to harvest credentials for GitHub, NPM, OpenVSX accounts, and crypto‑wallets via 49 affected extensions.

Notably, victims have been identified across the United States, South America, Europe, Asia, and a government entity in the Middle East.

Because the extensions remain publicly listed and downloadable, both individual developers and corporate engineering teams that import third‑party extensions could be exposed.

Why CISOs should care

1. Supply chain risk: This is not classic email phishing; it is a supply‑chain compromise of developer tooling, which can propagate undetected into production.
2. Credential & wallet theft: The focus on account credentials and crypto‑wallets shows that adversaries are after both identity and financial assets (including in developer ecosystems).
3. Persistence & evolving tactics: The return of GlassWorm with updated infrastructure demonstrates that attackers are iterating on previous success; mitigations applied after the first wave weren’t sufficient to halt resurgence.
4. Developer toolchain exposure: Most organisations focus on application and endpoint security, but may not treat developer marketplaces (extensions and plugins) with the same rigor, even though these can become a pivot point.
5. Regulatory/compliance implications: If a breach of development infrastructure leads to propagation into production systems (especially in regulated environments), CISOs may face both operational disruption and compliance risk.

3 Practical Actions

1. Audit your extension usage: Maintain an inventory of all VS Code/Open VSX extensions used by your engineering teams. Identify any extensions from unknown or untrusted publishers and enforce a “least‑used” or whitelisting regime.
2. Enforce marketplace governance: Implement policy controls that restrict the installation of developer‑tool extensions without approval. Use tooling to monitor for new installations and alert on extensions appearing with unusual attributes (e.g., invisible characters, high download counts from unverified authors).
3. Rotate credentials & secrets in your dev ecosystem: Given GlassWorm’s goal of stealing credentials, rotate tokens, secrets, and API keys tied to build pipelines, NPM registries, GitHub/OAuth tokens, and any crypto‑wallets linked to dev workflows. Ensure secrets are centrally managed and not embedded in extensions or local dev machines.