A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times.

The malware hides its malicious code by using invisible characters. It can also spread itself using stolen account information to infect more extensions the victim can access.

GlassWorm operators use Solana blockchain for command-and-control, making takedown very difficult, with Google Calendar as backup option.

Microsoft Visual Studio and the OpenVSX platforms host extensions and integrations for Visual Studio products and are constant targets of threat actors looking to steal cryptocurrency [1, 2, 3].

Researchers at endpoint security provider Koi found that the current GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors."

Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions.

Additionally, GlassWorm deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for invisible remote access.

The worm has a hardcoded wallet with transactions on the Solana blockchain that provide base64-encoded links for the next-stage payloads. According to the researchers, the final payload is called ZOMBI and is a "massively obfuscated JavaScript" code that turns infected systems into nodes for the cybercriminal activities.

"GlassWorm's final stage - the ZOMBI module - transforms every infected developer workstation into a node in a criminal infrastructure network," Koi Security says.

Using the blockchain to hide payloads is a method that has been gaining traction due to the multiple operational benefits it offers, including resilience to takedowns, anonymity, low cost, and flexibility for updates.

A backup method for sourcing payloads involves a Google Calendar event title that includes a base64-encoded URL. A third delivery mechanism uses direct connection to the IP address 217.69.3[.]218.

For further evasion and resilience, the malware uses BitTorrent’s Distributed Hash Table (DHT) for decentralized command distribution.

Researchers found at least eleven extensions infected by GlassWorm on OpenVSX and one on Microsoft’s VS Code Marketplace:

1. [email protected] and 1.8.4  
2. [email protected]  
3. [email protected]  
4. [email protected]  
5. [email protected]  
6. [email protected] and 1.0.91  
7. [email protected]  
8. [email protected]  
9. [email protected]  
10. [email protected]  
11. [email protected]  
12. [email protected] (Microsoft VS Code)

The researchers say that seven extensions on OpenVSX were compromised on October 17 and more infections followed over the next couple of days on both OpenVSX and VS Code. Koi Security notes that the full impact is 35,800 active GlassWorm installations.

"Here's what makes this particularly urgent: VS Code extensions auto-update. When CodeJoy pushed version 1.8.3 with invisible malware, everyone with CodeJoy installed got automatically updated to the infected version. No user interaction. No warning. Just silent, automatic infection," the researchers say.

At publishing time, at least four of the compromised extensions Koi Security found, were still available for download on OpenVSX. Microsoft has removed the malicious extension frrom its marketplace following the researchers' alert.

The publishers of vscode-theme-seti-folder and git-worktree-menu have updated the extensions to remove the malicious code.

Last month, a similar worm-style attack dubbed “Shai-Hulud” hit the npm ecosystem, compromising 187 packages. The malware used the TruffleHog scanning tool to identify secrets, passwords, and sensitive keys.

Koi Security says that GlassWorm "is one of the most sophisticated supply chain attack" and the first documented case of a worm-like attack on VS Code.

The C2 and payload servers in the GlassWorm campaign remain active, the researchers warn. On Saturday, there were still ten extensions actively distributing the malware.