"GlassWorm, first documented by Koi Security late last month, refers to a campaign in which threat actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace to harvest Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, and drop additional tools for remote access. What makes the malware notable is that it uses invisible Unicode characters to hide malicious code in code editors and abuses the pilfered credentials to compromise additional extensions and further extend its reach,"
"In response to the findings, Open VSX said it identified and removed all malicious extensions, in addition to rotating or revoking associated tokens as of October 21, 2025. However, the latest report from Koi Security shows that the threat has resurfaced a second time, using the same invisible Unicode character obfuscation trick to bypass detection."
Three newly disclosed VS Code extensions tied to GlassWorm remain available and continue to target the VS Code ecosystem via the Open VSX Registry and Microsoft Extension Marketplace. The campaign harvests Open VSX, GitHub, and Git credentials, drains funds from 49 cryptocurrency wallet extensions, and installs additional remote-access tools. The malware hides malicious code using invisible Unicode characters in code editors and leverages stolen credentials to compromise additional extensions, enabling worm-like self-replication. Open VSX removed malicious extensions and rotated or revoked related tokens on October 21, 2025. The threat resurfaced using the same obfuscation, with a Solana transaction providing an updated C2 endpoint and an exposed attacker endpoint revealing a partial victim list.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]