GlassWorm Malware Resurfaces in VS Code Extensions with Thousands of Installs

GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs

Cybersecurity researchers uncovered three VS Code extensions infected with GlassWorm malware, which collectively have over 8,000 downloads. The malware uses invisible Unicode characters to hide malicious code and leverages blockchain for command-and-control infrastructure.

Why This Matters

The ideal model of secure code repositories assumes clear, auditable code. However, GlassWorm’s use of Unicode obfuscation and blockchain-based C2 infrastructure bypasses traditional detection methods. Koi Security reported that the malware’s self-replication cycle compromised credentials from 49 cryptocurrency wallets and exposed a partial victim list including a major government entity, highlighting the scale of potential network breaches.

Key Insights

• “8,000+ downloads across three extensions, 2025”: ai-driven-dev (3,402), adhamu.history-in-sublime-merge (4,057), yasuyuky.transient-emacs (2,431)
• “Unicode obfuscation for persistence”: Malware hides in code editors using invisible characters to evade detection
• “Blockchain C2 resilience”: Attackers posted a Solana transaction for a new C2 endpoint at $0.0005, ensuring persistence even after server takedowns

Practical Applications

• Use Case: Government entity compromised via stolen credentials, used as proxy infrastructure
• Pitfall: Relying on outdated detection tools that fail to parse Unicode obfuscation or track blockchain-based C2

Reference: https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html