Cybersecurity researchers have disclosed a brand new set of three extensions related to the GlassWorm marketing campaign, indicating continued makes an attempt on a part of risk actors to focus on the Visible Studio Code (VS Code) ecosystem.
The extensions in query, that are nonetheless out there for obtain, are listed under –
GlassWorm, first documented by Koi Safety late final month, refers to a marketing campaign by which risk actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Market to reap Open VSX, GitHub, and Git credentials, drain funds from 49 completely different cryptocurrency pockets extensions, and drop further instruments for distant entry.
What makes the malware notable is that it makes use of invisible Unicode characters to cover malicious code in code editors and abuses the pilfered credentials to compromise further extensions and additional prolong its attain, successfully making a self-replication cycle that permits it to unfold in a worm-like vogue.
In response to the findings, Open VSX mentioned it recognized and eliminated all malicious extensions, along with rotating or revoking related tokens as of October 21, 2025. Nevertheless, the newest report from Koi Safety exhibits that the risk has resurfaced a second time, utilizing the identical invisible Unicode character obfuscation trick to bypass detection.
“The attacker has posted a contemporary transaction to the Solana blockchain, offering an up to date C2 [command-and-control] endpoint for downloading the next-stage payload,” safety researchers Idan Dardikman, Yuval Ronen, and Lotan Sery mentioned.
“This demonstrates the resilience of blockchain-based C2 infrastructure – even when payload servers are taken down, the attacker can publish a brand new transaction for a fraction of a cent, and all contaminated machines robotically fetch the brand new location.”
The safety vendor additionally revealed it recognized an endpoint that is mentioned to have been inadvertently uncovered on the attacker’s server, uncovering a partial checklist of victims spanning the U.S., South America, Europe, and Asia. This features a main authorities entity from the Center East.
Additional evaluation has uncovered keylogger data supposedly from the attacker’s personal machine, which has yielded some clues as to GlassWorm’s provenance. The risk actor is assessed to be Russian-speaking and is claimed to make use of an open-source browser extension C2 framework named RedExt as a part of their infrastructure.
“These are actual organizations and actual individuals whose credentials have been harvested, whose machines could also be serving as legal proxy infrastructure, whose inner networks could already be compromised,” Koi Safety mentioned.
The event comes shortly after Aikido Safety printed findings exhibiting that GlassWorm has expanded its focus to focus on GitHub, indicating the stolen GitHub credentials are getting used to push malicious commits to repositories.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits immediately: learn extra, subscribe to our publication, and turn into a part of the NextTech group at NextTech-news.com
