GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools

Briefly

"GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities. The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm."

"The latest wave of the GlassWorm campaign, spotted by Secure Annex's John Tuckner, involves a total of 24 extensions spanning both repositories. The list of identified extensions is below - VS Code Marketplace: iconkieftwo.icon-theme-materiall prisma-inc.prisma-studio-assistance (removed as of December 1, 2025) prettier-vsc.vsce-prettier flutcode.flutter-extension csvmech.csvrainbow codevsce.codelddb-vscode saoudrizvsce.claude-devsce clangdcode.clangd-vsce cweijamysq.sync-settings-vscode bphpburnsus.iconesvscode klustfix.kluster-code-verify vims-vsce.vscode-vim yamlcode.yaml-vscode-extension solblanco.svetle-vsce vsceue.volar-vscode redmat.vscode-quarkus-pro msjsdreact.react-native-vsce Open VSX: bphpburn.icons-vscode tailwind-nuxt.tailwindcss-for-react flutcode.flutter-extension yamlcode.yaml-vscode-extension saoudrizvsce.claude-dev saoudrizvsce.claude-devsce vitalik.solidity"