Follow on X RSS Feed
Malware

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

Cybersec Sentinel

6 min read
GlassWorm Self-Propagating Malware Compromises VS Code Extensions

Threat Group – Unknown (no confirmed attribution)
Threat Type – Self-propagating software supply chain malware targeting VS Code and OpenVSX ecosystems
Exploited Vulnerabilities – Abuse of trusted publisher credentials and the automated extension update pipeline; no CVE assigned for the platform itself
Malware Used – GlassWorm loader and final-stage ZOMBI module (RAT with SOCKS proxy, HVNC, P2P C2, credential theft, and self-replication)
Threat Score – 🔴 8.1 High
Last Threat Observation – 22 October 2025

Overview

The GlassWorm campaign represents a significant escalation in developer tool supply-chain threats. Rather than exploiting a zero-day vulnerability, the operators weaponise trust—they obtain or hijack legitimate publisher credentials, insert a self-replicating loader into existing extensions, and rely on default auto-updates to deliver the malware silently to developer workstations.

Stealth is achieved through invisible Unicode variation selectors (U+FE0E / U+FE0F) embedded within JavaScript and TypeScript files. These characters cause the malicious code to render as blank space in editors and code diff tools, evading manual inspection and many static scanners—yet remain fully executable.

Once executed, the loader fetches and decrypts the ZOMBI module, a heavily obfuscated remote-access payload that transforms infected developer workstations and CI/CD runners into autonomous nodes within the attacker’s infrastructure. The ZOMBI module establishes persistence (Windows Registry Run keys), deploys SOCKS proxy services, installs Hidden VNC (HVNC) for covert remote control, and abuses harvested NPM, GitHub, OpenVSX, and Git credentials to publish new malicious extensions, ensuring rapid, self-sustaining propagation.

Resilience is achieved through a triple-redundant, decentralised command-and-control (C2) structure using the Solana blockchain (primary), direct IP/HTTP fallback, and Google Calendar event titles (cloud-based fallback). Additionally, WebRTC and BitTorrent Distributed Hash Table (DHT) layers provide peer-to-peer redundancy, making the infrastructure effectively untakeable down by traditional means.

Given the malware’s stealth, propagation potential, and decentralised resilience, the threat score of 8.1 (High) is fully validated.

Key Details

Delivery Method

  • The attackers compromise legitimate extension publisher accounts or insert malicious code during the release process.
  • Modified extensions are published to OpenVSX and VS Code Marketplace with invisible Unicode-encoded loaders.
  • Auto-update mechanisms silently deliver the malicious versions to users without any prompts.
  • The malicious code retrieves and decrypts the ZOMBI payload, which establishes persistence and further propagation.
  • Using stolen tokens, the malware publishes new infected extension updates, ensuring exponential spread.

Target Profile

  • Software developers using VS Code and compatible IDEs.
  • Extension publishers and CI/CD systems holding tokens for OpenVSX, Marketplace, NPM, and GitHub.
  • Organisations with integrated development pipelines linked to repositories.
  • Cryptocurrency-related extensions (secondary objective: financial theft).

Functions (ZOMBI Module)

  • Credential theft: NPM, GitHub, OpenVSX, Git, and cryptocurrency wallet extensions.
  • Remote control: Deploys Hidden VNC for invisible, interactive sessions.
  • Network proxying: Installs a SOCKS proxy for attacker traffic routing.
  • Propagation: Automatically publishes new malicious updates with stolen credentials.
  • Decentralised C2: Communicates via blockchain memos, fallback HTTP, Google Calendar, WebRTC, and BitTorrent DHT.

Obfuscation and Evasion

  • Invisible Unicode (U+FE0E / U+FE0F) conceals code from human and automated review.
  • Dynamic decryption keys returned via HTTP headers decrypt payloads in memory.
  • Decentralised infrastructure blends with legitimate traffic, making takedown impractical.
  • Modular payload design allows flexible updates and rapid redeployment.

Attack Vectors

StageDescription
1. Publisher compromiseAttacker steals or hijacks publisher credentials for a trusted extension.
2. Malicious updateThe attacker uploads a new version embedding invisible malicious loader code.
3. Silent infectionVS Code auto-updates install the infected version on all endpoints automatically.
4. Payload retrievalLoader checks the Solana blockchain for base64-encoded payload URLs and downloads the ZOMBI module from fallback servers.
5. Execution and persistenceZOMBI modifies registry keys, installs SOCKS proxy and HVNC services, and begins exfiltration.
6. PropagationStolen tokens are used to upload new malicious extensions, continuing the infection chain.

Known Indicators of Compromise (IoCs)

(All indicators are defanged to prevent accidental activation. Replace hxxphttp/https and [.]. in a secure analysis environment.)

Network / C2 / Exfiltration

TypeIndicator (Defanged)Notes
Payload/C2 IP217[.]69[.]3[.]218Primary payload and C2 host active mid–late October 2025
Exfiltration Endpoint140[.]82[.]52[.]31:80/wallStolen credential collection endpoint
Blockchain C2Solana wallet 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2Monitored for base64-encoded C2 payload instructions
Fallback C2 (Cloud)hxxps://calendar[.]app[.]google/M2ZCvM8ULL56PD1d6Google Calendar event titles used for hidden payload URLs
Payload URL (Example)hxxp://217[.]69[.]3[.]218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3DExample stage payload retrieval path
Payload URL (Example 2)hxxp://217[.]69[.]3[.]218/get_zombi_payload/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3DSecondary payload retrieval link
P2P overlaysWebRTC / BitTorrent DHTUsed for peer-to-peer control channels

Host-Based Indicators and Persistence

CategoryIndicator (Defanged where applicable)Notes
Process lineageCode.exeextensionHost spawning network listeners or VNC servicesBehavioural signature of infection
PersistenceHKCU\Software\Microsoft\Windows\CurrentVersion\RunUser-scope autorun key
PersistenceHKLM\Software\Microsoft\Windows\CurrentVersion\RunSystem-scope autorun key (admin privileges)
File contentPresence of Unicode U+FE0E / U+FE0F in .js or .tsHidden Unicode used to conceal loader code

Confirmed Infected Extensions

Extension IDPlatformStatus
codejoy.codejoy-vscode-extension@1.8.3 / 1.8.4OpenVSXMalicious (removed)
l-igh-t.vscode-theme-seti-folder@1.2.3OpenVSXMalicious (removed)
kleinesfilmroellchen.serenity-dsl-syntaxhighlight@0.3.2OpenVSXMalicious
JScearcy.rust-doc-viewer@4.2.1OpenVSXMalicious
SIRILMP.dark-theme-sm@3.11.4OpenVSXMalicious
CodeInKlingon.git-worktree-menu@1.0.9 / 1.0.91OpenVSXMalicious
ginfuru.better-nunjucks@0.3.2OpenVSXMalicious
ellacrity.recoil@0.7.4OpenVSXMalicious
grrrck.positron-plus-1-e@0.0.71OpenVSXMalicious
jeronimoekerdt.color-picker-universal@2.8.91OpenVSXMalicious
srcery-colors.srcery-colors@0.3.9OpenVSXMalicious
cline-ai-main.cline-ai-agent@3.1.3VS Code MarketplaceMalicious (removed)

Mitigation and Prevention

Mitigation Checklist

Control AreaRecommended ActionValidation
Publisher Account SecurityEnforce hardware-based MFA (FIDO2/U2F) for all OpenVSX, Marketplace, GitHub, and NPM accounts. Revoke and regenerate tokens if compromise suspected.MFA enforced; tokens rotated and scoped minimally.
Extension GovernanceImplement internal allow-lists and disable global auto-updates for non-approved extensions. Require internal security review before deployment.Governance policy documented and applied.
Endpoint ProtectionDeploy EDR rules to detect VNC/Proxy creation, registry Run key modifications, and non-browser Solana RPC calls.Alerts tested and validated.
Network ControlsBlock egress to known GlassWorm IPs and restrict outbound UDP 3478/5349 and 16384–32768 (STUN/TURN/WebRTC).Firewall rules deployed and monitored.
Credential HygieneRotate NPM/GitHub/OpenVSX tokens regularly. Restrict scopes to least privilege.Token audits completed; unused tokens revoked.
Unicode DetectionDeploy “Hidden Character Detector” or equivalent tools to scan for invisible Unicode in JS/TS files and CI/CD pipelines.Tool integrated into commit hooks and pre-build stages.
Incident PlaybooksDevelop specific GlassWorm response playbooks: isolate, revoke, rebuild, audit.Playbook validated through tabletop testing.

Detection Engineering

Host-Based Detection

  • Alert on extensionHost.exe or child processes spawning VNC or proxy listeners.
  • Monitor registry writes to HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run by IDE processes.
  • Scan %APPDATA%\Code\extensions\* for invisible Unicode sequences (U+FE0E / U+FE0F).
  • Identify JavaScript files with large “blank” code regions that contain invisible characters.

Network-Based Detection

TargetDetection MethodActionable Signals
Solana RPCMonitor IDE-originated connections to Solana nodes.Frequent RPC traffic post-extension update.
WebRTCMonitor non-browser STUN/TURN traffic on ports 3478/5349.WebRTC connections from IDE processes.
RTP (Media)Inspect UDP traffic on ports 16384–32768.High-volume, non-browser UDP sessions.
BitTorrent DHTUse DPI to detect peer-to-peer traffic patterns.DHT-like activity from developer networks.

Remediation and Containment Checklist

PriorityAreaRequired ActionValidation
P1ContainmentDisconnect infected developer workstations and CI/CD runners from the network immediately.Confirm isolation in EDR/NAC logs.
P1Credential RevocationRevoke and regenerate all GitHub PATs, NPM tokens, OpenVSX keys, and related CI/CD credentials.All compromised tokens replaced.
P2System RebuildFully wipe and reimage infected systems; removing extensions is insufficient.Verified clean OS baseline deployed.
P2Repository AuditReview Git commit history for malicious pushes and scan code for invisible Unicode characters.Code integrity verified.
P3Network HardeningBlock 217[.]69[.]3[.]218, restrict UDP 3478/5349 and 16384–32768 on developer VLANs.Firewall rules enforced.
P3Tooling DeploymentMandate Unicode scanning tools in developer and CI pipelines.Tools deployed and validated.
P3MFA EnforcementRequire hardware MFA for all critical publishing and SCM actions.MFA audit complete and enforced.

Risk Assessment

Threat Score – 🔴 8.1 High

GlassWorm presents one of the most sophisticated supply-chain threats to date. It leverages legitimate update mechanisms, employs stealth through invisible code, and communicates via decentralised, immutable networks.
It compromises developer environments, CI/CD runners, and build pipelines, converting trusted assets into active threat nodes.

The combination of:

  • Propagation via auto-updates
  • Invisible code obfuscation
  • Blockchain and P2P C2 infrastructure
  • Credential abuse for self-replication

justifies its classification as a high-severity threat requiring immediate containment and long-term governance reforms.

Conclusion

GlassWorm redefines the concept of a supply-chain compromise by attacking the foundation of trust within the development ecosystem. It bypasses CVE-driven vulnerability management entirely, instead exploiting publisher legitimacy and automation pipelines to spread autonomously.

Traditional takedown strategies are ineffective due to its decentralised architecture (Solana, WebRTC, DHT). Therefore, defence must pivot to behavioural detection, credential governance, and extension verification workflows.

Organisations must recognise developer endpoints and build systems as critical infrastructure, applying Zero Trust segmentation, strict extension governance, and automated invisible-character scanning to protect against this new class of self-propagating supply-chain worm.

Sources