The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.
GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities.
The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories.
The latest wave of the GlassWorm campaign, spotted by Secure Annex’s John Tuckner, involves a total of 24 extensions spanning both repositories. The list of identified extensions is below –
VS Code Marketplace:
- iconkieftwo.icon-theme-materiall
- prisma-inc.prisma-studio-assistance (removed as of December 1, 2025)
- prettier-vsc.vsce-prettier
- flutcode.flutter-extension
- csvmech.csvrainbow
- codevsce.codelddb-vscode
- saoudrizvsce.claude-devsce
- clangdcode.clangd-vsce
- cweijamysq.sync-settings-vscode
- bphpburnsus.iconesvscode
- klustfix.kluster-code-verify
- vims-vsce.vscode-vim
- yamlcode.yaml-vscode-extension
- solblanco.svetle-vsce
- vsceue.volar-vscode
- redmat.vscode-quarkus-pro
- msjsdreact.react-native-vsce
Open VSX:
- bphpburn.icons-vscode
- tailwind-nuxt.tailwindcss-for-react
- flutcode.flutter-extension
- yamlcode.yaml-vscode-extension
- saoudrizvsce.claude-dev
- saoudrizvsce.claude-devsce
- vitalik.solidity
The attackers have been found to artificially inflate the download counts to make the extensions appear trustworthy and cause them to prominently appear in search results, often in close proximity to the actual projects they impersonate to deceive developers into installing them.
“Once the extension has been approved initially, the attacker seems to easily be able to update code with a new malicious version and easily evade filters,” Tuckner said. “Many code extensions begin with an ‘activate’ context, and the malicious code is slipped in right after the activation occurs.”
The new iteration, while still relying on the invisible Unicode trick, is characterized by the use of Rust-based implants that are packaged inside the extensions. In an analysis of the “icon-theme-materiall” extension, Nextron Systems said it comes with two Rust implants that are capable of targeting Windows and macOS systems –
- A Windows DLL named os.node
- A macOS dynamic library named darwin.node
As observed in the previous GlassWorm infections, the implants are designed to fetch details of the C2 server from a Solana blockchain wallet…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
