TL;DR

GlassWorm (first flagged by Koi Security in October 2025) is the first self-propagating worm to spread through VS Code / Open VSX extensions. It hides its payload using invisible Unicode characters that don't render in any editor — code that is literally invisible to a human reviewer — and takes commands from a quad-redundant C2 (a Solana blockchain memo as an un-takedownable dead-drop, plus BitTorrent DHT, Google Calendar dead-drops, and direct VPS IPs). It steals npm/GitHub/Git credentials, drains 49 crypto-wallet extensions, drops SOCKS proxies and hidden VNC servers, and republishes itself into more extensions to keep spreading. It has returned in multiple waves through 2026 (Dec 2025; 24 extensions, then 72+ Open VSX extensions since Jan 31; a v2 wave in Mar–Apr 2026 hitting 150+ GitHub repos).

Update 2026-05-31 — disrupted. On 2026-05-26 14:00 UTC, CrowdStrike Counter Adversary Operations + Google + the Shadowserver Foundation executed a coordinated takedown, simultaneously disabling all four C2 channels (Solana blockchain memos, BitTorrent DHT, Google Calendar dead-drops, direct VPS IPs). The takedown stopped new payload delivery but did not uninstall the malware, rotate stolen credentials, or undo downstream credential resale.

Update 2026-06-12 — back: new Mac wave with reconstituted fresh infrastructure. Koi Security and BleepingComputer report a new GlassWorm wave targeting macOS exclusively with fresh C2 infrastructure — the first wave to survive the May 26 takedown and reconstitute. The operator rebuilt on new infrastructure, pivoted from Windows-only to macOS-first, and added a hardware-wallet trojanization capability (Ledger Live and Trezor Suite replaced with backdoored versions). Status reverted to active. Defensive cue: eBPF/EDR tools that detected the Windows variant may not detect the macOS AppleScript/LaunchAgent-based variant — check koi.ai IOC list for the macOS wave specifically.

What happened

GlassWorm's signature trick is steganographic source: the malicious logic is encoded in printable-but-non-rendering Unicode (e.g., variation selectors / invisible code points), so a maintainer or reviewer eyeballing the extension's source sees nothing. This defeats human review and most diff-based checks.

Capabilities across waves: steals npm/GitHub/Git credentials (reused to publish the worm into more packages → self-propagation), drains 49 crypto-wallet browser extensions, deploys SOCKS proxies and hidden VNC for remote control, and logs keystrokes / dumps cookies+session tokens / takes screenshots. C2 is resilient: a Solana blockchain memo acts as a censorship-resistant dead-drop, backed by direct IP and Google Calendar fallbacks.

Timeline: - 2025-10 — Koi Security discovers GlassWorm in 3 Open VSX / VS Code extensions (thousands of installs); npm packages using the same invisible-Unicode tactic trace back to ~March 2025. - 2025-12 — returns with 24 malicious extensions impersonating popular dev tools. - 2026-01-31 →72+ additional malicious Open VSX extensions discovered. - 2026-03 (v2) — fresh wave; GitHub compromises ~Mar 3–9, 150+ repos; ~433 components estimated across Open VSX, VS Code Marketplace, GitHub, and npm. - 2026-0473 fake VS Code extensions delivering GlassWorm v2. - 2026-05-26 14:00 UTCCrowdStrike + Google + Shadowserver coordinated takedown disables all four C2 channels simultaneously; attribution narrows to a likely Russia-based operator (malware exits on CIS-country locale checks; Russian-language source comments). The takedown caps a campaign that had poisoned 300+ GitHub repos via stolen credentials alone. - 2026-06-09/10GlassWASM: TinyGo-compiled WebAssembly stager on Open VSX (Socket Research, 2026-06-15). Two trojanized extensions published on the Open VSX registry by the account zaitoona43 (GitHub UID 291961103): ExarGD/vsblack@0.0.1 (June 9) and noellee-doc/flint-debug@0.1.1 (June 10). Both are identity-cloned impersonations of legitimate VS Code Marketplace extensions. New evasion technique: the stager is a TinyGo-compiled WebAssembly module with ChaCha20-encrypted string constants — all network indicators and C2 commands are hidden from static analysis. The WASM module is loaded at runtime and constructs platform-specific download-and-execute payloads (curl | bash on macOS/Linux; irm | iex PowerShell on Windows). C2: Same Solana mainnet wallet as prior GlassWorm waves (6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz); active C2 host at time of analysis: dodod.lat. Affects all Open VSX consumers: VSCodium, Cursor, Windsurf, Gitpod and any VS Code instance configured with Open VSX. Both extensions removed from the registry following Socket's report. Attribution to GlassWorm campaign assessed with medium confidence based on the shared Solana wallet address and payload delivery chain. - 2026-06-12 (post-takedown)New macOS-targeting wave with fresh infrastructure (Koi Security / BleepingComputer). Operator reconstituted on new C2. Targeting macOS exclusively for the first time. New payload: AES-256-CBC encryption, AppleScript persistence (vs. PowerShell), LaunchAgent persistence (vs. Registry), and a hardware-wallet trojanization module targeting Ledger Live and Trezor Suite app bundles. Also sweeps 50+ browser crypto extensions, GitHub/npm tokens, Safari/Chrome browser data, and macOS Keychain. Hardware-wallet trojans appear incomplete at time of disclosure ("returning empty files") — attacker likely still finalizing macOS wallet payloads. Status reverted to active. Confirmed macOS-wave extension IOCs (Open VSX): pro-svelte-extension, vsce-prettier-pro, full-access-catppuccin-pro-extension — all impersonate popular Open VSX extensions with added macOS-specific payload modules.

The campaign kept recurring because takedowns couldn't reach the Solana dead-drop and the worm re-seeded itself with every set of stolen publish credentials — the same IDE-extension trust surface abused by the Nx Console compromise and the TeamPCP GitHub breach. The 2026-05-26 takedown finally hit all four redundancy channels at once, which is why it worked — a less coordinated strike would have let the Solana dead-drop carry survivors. The downstream lesson: infostealer-harvested credentials don't expire when the C2 diesMegalodon's 5,561-repo wave (May 18) is what credential resale of this corpus looks like.

Am I affected?

You're at risk if you install extensions from Open VSX (the default marketplace for VS Code forks like Cursor, Windsurf, VSCodium) or sideload niche VS Code extensions.

# Enumerate installed extensions across editors
code     --list-extensions --show-versions 2>/dev/null
cursor   --list-extensions --show-versions 2>/dev/null
codium   --list-extensions --show-versions 2>/dev/null

# Heuristic: scan extension sources for invisible/zero-width Unicode (a GlassWorm tell)
grep -RIlP '[\x{200B}-\x{200F}\x{202A}-\x{202E}\x{2060}-\x{2064}\x{FE00}-\x{FE0F}\x{E0000}-\x{E007F}]' \
  ~/.vscode/extensions ~/.cursor/extensions ~/.vscode-oss/extensions 2>/dev/null

If a flagged extension turns up, treat the machine as compromised: npm/GitHub/Git creds, browser sessions, and any crypto-wallet extensions are all in scope.

IOCs / tells

Type Value
Obfuscation Invisible/zero-width Unicode in extension source
C2 (all four disrupted 2026-05-26) (1) Solana blockchain memo (dead-drop), (2) BitTorrent DHT (configuration data), (3) Google Calendar event titles, (4) direct VPS IPs
Targets npm/GitHub/Git creds, 49 crypto-wallet extensions
Persistence SOCKS proxy + hidden VNC servers
Marketplaces Open VSX (primary), VS Code Marketplace; also GitHub + npm
macOS-wave IOC extensions pro-svelte-extension, vsce-prettier-pro, full-access-catppuccin-pro-extension (Open VSX)
macOS-wave new C2 Fresh infrastructure; prior Solana/DHT/Calendar C2 channels replaced
GlassWASM extension IOCs ExarGD/vsblack@0.0.1, noellee-doc/flint-debug@0.1.1 (Open VSX, published June 9-10, 2026)
GlassWASM publisher account zaitoona43 (GitHub UID 291961103)
GlassWASM Solana wallet 6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz (shared with prior GlassWorm waves)
GlassWASM C2 host dodod.lat (observed June 2026)
GlassWASM stager tech TinyGo-compiled WebAssembly; ChaCha20-encrypted C2 URLs
First flagged Koi Security, 2025-10
Attribution Likely Russia-based (CIS-locale exit checks, Russian-language source comments)
Takedown CrowdStrike Counter Adversary Operations + Google + Shadowserver Foundation, 2026-05-26 14:00 UTC, all 4 C2 channels simultaneously

If you are affected

playbooks/if-your-github-pat-leaked.mdplaybooks/if-your-npm-token-leaked.mdplaybooks/rotating-cloud-credentials.md

Prevention

prevention/agent-sandboxing.mdprevention/credential-hygiene.md → Prefer verified-publisher, first-party extensions; disable silent auto-update on credential-holding editors; be especially wary of typosquatted "popular dev tool" clones on Open VSX, which is GlassWorm's primary vector.

Sources