GlassWorm Escalates: 72 Malicious VSCode Extensions Steal Credentials

A third wave of the GlassWorm malware campaign has compromised at least 72 malicious extensions in the Open VSX registry, marking a significant escalation from the initial three extensions discovered in October 2025. The attack specifically targets developers using open-source alternatives to the official Visual Studio Marketplace.

TL;DR

• What happened: GlassWorm operators uploaded 72 malicious Open VSX extensions that steal credentials and deploy RATs
• Who's affected: Developers using VSCode with Open VSX, particularly those in crypto and AI development
• Severity: High - targets production credentials and CI/CD pipelines
• Action required: Audit installed extensions immediately; remove any from suspicious publishers

How the Attack Chain Works

Between March 3 and March 9, 2026, researchers at Koi Security identified the malicious extensions masquerading as legitimate developer utilities. The list includes fake linters, formatters, code runners, and impersonators of AI-powered coding assistants like Claude Code and Google Antigravity.

The campaign's defining characteristic is its use of invisible Unicode characters to hide malicious code. Attackers leveraged variation selectors and Private Use Area characters that produce no visual output in code editors—making the payload invisible to manual inspection.

"What makes this particularly insidious is the combination of social proof and technical stealth," explained the Koi Security report. The extensions often had legitimate-looking commit histories, with LLM-generated commits mimicking authentic development activity.

The attack unfolds in stages:

1. Transitive dependency abuse: Malicious extensions declare benign-looking dependencies in package.json that pull additional payloads
2. Unicode payload extraction: Hidden characters in source files decode to functional JavaScript loaders
3. Remote Dynamic Dependencies: Custom HTTP URLs in package manifests enable real-time payload modifications

What Gets Stolen

GlassWorm aggressively harvests developer credentials across multiple platforms:

• NPM authentication tokens
• GitHub personal access tokens
• OpenVSX publisher credentials
• Git credentials from local configs
• Environment variables from .env files
• Cryptocurrency wallet data from 49 different browser extensions

The AppsFlyer SDK supply chain attack we covered yesterday used similar crypto-targeting techniques, suggesting a broader trend of financially motivated supply chain compromises in the developer ecosystem.

Command and Control via Blockchain

The C2 infrastructure demonstrates notable sophistication. Primary communication routes through the Solana blockchain, where the malware queries transactions from a hardcoded attacker wallet to receive encoded commands. This makes the C2 channel resistant to traditional domain takedowns.

As a fallback, GlassWorm queries specific Google Calendar event URLs, with Base64-encoded C2 addresses hidden in event titles. This mirrors techniques we've seen in other infostealers abusing legitimate services for command delivery.

GitHub Repositories Also Compromised

The campaign extends beyond VSCode extensions. Researchers identified approximately 151 GitHub repositories compromised between March 3 and March 9, with attackers injecting the same invisible Unicode payload technique into otherwise legitimate codebases.

This broader scope suggests the operators are building a persistent presence across developer infrastructure, not just targeting individual extension users.

Which Extensions Are Affected

Security researchers published a partial list of malicious extension identifiers:

• angular-studio.ng-angular-extension
• crotoapp.vscode-xml-extension
• gvotcha.claude-code-extension
• mswincx.antigravity-cockpit
• tamokill12.foundry-pdf-extension
• turbobase.sql-turbo-tool
• vce-brendan-studio-eich.js-debuger-vscode

The full list includes two malicious npm packages: @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp.

Evasion Techniques

GlassWorm includes multiple anti-analysis features:

• Russian locale detection: The malware terminates if it detects Russian system locales, suggesting the operators are avoiding CIS targets
• Virtual machine detection: Standard VM fingerprinting to evade sandboxes
• Solana wallet rotation: C2 addresses change via blockchain transactions, complicating infrastructure takedowns

Defending Your Development Environment

Organizations should take immediate action:

1. Audit all installed extensions - Remove anything from unverified publishers
2. Monitor for invisible Unicode - Add pre-commit hooks that detect non-standard Unicode in source files
3. Review dependency declarations - Check for Remote Dynamic Dependencies in package.json files
4. Rotate potentially exposed credentials - Any API tokens, NPM tokens, or GitHub PATs on affected systems should be considered compromised

The Tirith open-source tool can help detect homoglyph attacks in command strings, though additional tooling may be needed for Unicode variation selector detection.

Why This Matters

Developer workstations represent high-value targets precisely because they hold keys to production infrastructure. A compromised CI/CD pipeline can enable supply chain attacks at scale, turning one developer's infected extension into thousands of compromised downstream applications.

The GlassWorm campaign demonstrates that supply chain attacks have matured beyond proof-of-concept. The combination of blockchain-based C2, invisible code obfuscation, and AI-generated cover stories suggests well-resourced operators with long-term persistence goals.

For organizations running air-gapped development environments, the extension ecosystem still presents risk through manual transfers. Even offline systems need extension vetting procedures.