Security Researchers Warn of GlassWorm Attack Targeting Developer Tools

GlassWorm Attack Evolves, Targeting Developers Through VS Code Extension Supply Chain

Cybersecurity researchers have uncovered a new phase of the GlassWorm malware campaign, revealing a more advanced method of spreading malicious code through the Open VSX extension registry used by developers.

Security analysts say the attackers have significantly changed their approach. Instead of embedding malware directly in every extension, the threat actors now use extension relationships to quietly deliver malicious payloads after the extension has already gained user trust.

According to a report from software supply-chain security company Socket, attackers are abusing configuration features such as extensionPack and extensionDependencies to transform harmless-looking extensions into delivery tools for malware during later updates.

This means an extension that initially appears safe may later download and install another extension connected to the GlassWorm operation.

Dozens of Malicious Developer Extensions Discovered

Researchers identified at least 72 malicious extensions added to the Open VSX registry since January 2026. The fake extensions were designed to imitate popular developer tools in order to trick users into installing them.

Many of the disguised extensions pretended to be:

  • Code formatters
  • Linters
  • Debugging tools
  • SQL utilities
  • AI-powered coding assistant plugins

Some even mimicked tools related to AI coding platforms such as Clade Code and Google Antigravity.

After the campaign was exposed, the Open VSX registry removed several suspicious extensions from its platform.

What Is the GlassWorm Malware Campaign?

GlassWorm is an ongoing cybercrime operation targeting software developers through malicious extensions and supply chain attacks.

The malware is designed to:

  • Steal authentication tokens and credentials
  • Extract secrets stored in development environments
  • Drain cryptocurrency wallets
  • Turn compromised systems into proxy infrastructure for cybercriminal operations

Security researchers first documented the campaign in October 2025, but similar techniques were already appearing earlier that year in malicious npm packages.

One particularly deceptive tactic used by the attackers involves hiding malicious code using invisible Unicode characters, making it difficult for developers to spot the threat when reviewing the source code.

New Techniques Make the Malware Harder to Detect

The latest wave of GlassWorm attacks introduces several new features intended to avoid detection.

Researchers found that the malware now:

  • Uses stronger code obfuscation techniques
  • Rotates Solana cryptocurrency wallets used by the attackers
  • Retrieves command-and-control server addresses using Solana blockchain transactions

Using blockchain transactions as a data source allows attackers to dynamically locate their command servers, making the infrastructure more resilient against shutdown attempts.

The malware also checks whether a targeted computer is using a Russian system locale and avoids infecting those systems, a tactic often seen in cybercrime campaigns originating from Russian-speaking regions.

Supply Chain Attack Through Extension Dependencies

One of the most concerning developments is the abuse of extension dependency features within VS Code extensions.

When developers install an extension that lists additional dependencies in its configuration file, the editor automatically installs those related extensions as well.

Attackers exploit this behavior by:

  1. Uploading a clean extension that appears legitimate
  2. Allowing it to gain trust from users and pass marketplace review
  3. Updating the extension later to include a dependency connected to GlassWorm malware

As a result, the extension silently installs the malicious component without raising suspicion.

Security experts warn that this tactic opens the door to new supply chain attack scenarios within developer ecosystems.

Attackers Also Infect GitHub and npm Packages

The GlassWorm campaign is not limited to extension marketplaces.

Security firm Aikido discovered that attackers are also injecting malicious payloads into open-source repositories on GitHub.

In many cases, attackers modified projects using invisible Unicode characters that hide malicious instructions inside normal-looking code changes.

Between March 3 and March 9, 2026, researchers estimate that over 150 GitHub repositories were compromised.

The hidden payload eventually executes a loader script capable of stealing sensitive information from infected machines, including:

  • API keys
  • Authentication tokens
  • Developer credentials
  • Environment variables

The same Unicode-based attack technique was also detected in two suspicious npm packages:

  • @aifabrix/miso-client
  • @iflow-mcp/watercrawl-watercrawl-mcp

Attackers May Be Using AI to Create Convincing Code Changes

Security analysts believe the attackers may be using large language models (LLMs) to help generate realistic commit messages and code updates.

Instead of making obviously malicious changes, the attackers disguise their modifications within commits that look legitimate, such as:

  • Minor bug fixes
  • Version updates
  • Documentation edits
  • Small refactoring changes

This makes the malicious activity harder for developers and maintainers to detect during code reviews.

Suspicious npm Packages Raise Further Concerns

In a separate investigation, Endor Labs discovered 88 malicious npm packages uploaded over several months through dozens of disposable developer accounts.

These packages were designed to collect sensitive information from infected systems, including:

  • CI/CD pipeline tokens
  • Environment variables
  • System metadata

The malware used a technique called Remote Dynamic Dependencies (RDD). This allows the attacker to load malicious code from an external server rather than storing it directly inside the npm package.

Because the payload is hosted remotely, attackers can modify or replace the malicious code without releasing a new package version.

Research Experiment or Active Threat?

Some of the suspicious npm packages were later claimed to be part of a security research experiment.

However, Endor Labs questioned that explanation after identifying several red flags, including:

  • Excessive data collection beyond what the experiment required
  • Lack of transparency toward users
  • Frequent rotation of account names and email addresses used to publish the packages

As of March 2026, some of the packages have been updated to replace the data-harvesting code with a simple “Hello, world!” message.

Even so, researchers say the situation highlights a serious problem: dependencies hosted outside official registries allow developers to change code behavior instantly without publishing a new version.

Growing Threat to the Software Supply Chain

The GlassWorm campaign demonstrates how attackers are increasingly targeting developer ecosystems and open-source platforms.

By exploiting extension marketplaces, GitHub repositories, and npm packages, attackers can spread malware through trusted development tools and software dependencies.

Security experts warn that these attacks pose a growing risk to organizations that rely heavily on open-source software and automated development environments.

Leave a Reply

Your email address will not be published. Required fields are marked *