Glassworm's Resurfaced In A Third Wave

Glassworm has reappeared in a third wave. Researchers have spotted dozens of newly published Visual Studio Code–compatible extensions. These extensions again carry a suite of clandestine, developer-focused malware behaviors. The most recent activity was discovered in late November and reported on December 1, 2025, by Secure Annex.

Attackers published roughly two dozen impostor packages across both the Microsoft Visual Studio Marketplace and the open OpenVSX registry. They then pushed updates that introduced Rust-based implants and other stealthy components. These packages impersonated popular projects and inflated download counts to appear legitimate. This approach gave the campaign a broad, developer-centric attack surface.

The immediate risk from the latest wave lies in how Glassworm uses the extension update lifecycle and marketplace signals to trick developers into installing weaponized packages. After initial publication, attackers delivered payloads via subsequent updates and then artificially boosted download metrics and search rankings, so the malicious extensions sat alongside, and often immediately next to, the legitimate projects they were impersonating.

Once installed, the extensions deploy a multifaceted tool set designed to harvest credentials and provide covert remote access, turning a developer workstation into a relay and data source.

OpenVSX, which had earlier declared the incident contained, rotated compromised access tokens in response to initial detections; however, the malware nonetheless re-emerged on both registries, illustrating how token rotation and takedowns alone can be insufficient unless combined with publisher vetting, improved artifact review, and downstream telemetry.

Secure Annex's research, which helped map the campaign and enumerate the newly observed packages, shows that the targeting encompasses a broad range of tooling, including everything from Flutter and Tailwind to YAML and Solidity helpers, indicating an intent to target multiple developer communities rather than a single niche.

In the latest iterations, Glassworm exhibits a more mature technical profile. Researchers observed the inclusion of compiled Rust implants inside extension updates, a move that both complicates static review and widens platform reach. The campaign continues to employ invisible Unicode characters to obfuscate code and metadata, making it more likely for human reviewers and simple automated checks to miss malicious strings or suspicious filenames.

When the payload executes, it attempts credential theft for services such as GitHub and NPM, harvests OpenVSX credentials, and deploys mechanisms that provide persistent remote control — notably a SOCKS proxy to route operator traffic through a compromised developer host and an HVNC (hidden VNC) client for stealthy graphical remote access.

The reappearance on both Microsoft's official marketplace and the open OpenVSX registry reflects an adaptive adversary. Where one platform implemented token rotations and removals, attackers cycled publisher accounts and republished under slightly altered names and package identifiers, using inflated popularity metrics to influence search results and convince copycats.

This manipulation of platform trust signals — downloads, update recency, and ranking — remains a core tactic that helped Glassworm evade simple heuristics and increase exposure.

Other known tactics include:

• Credential harvesting for developer services (GitHub, NPM, OpenVSX) and crypto wallets.
• Remote access and traffic relaying (SOCKS proxy, HVNC), plus compiled Rust implants and Unicode obfuscation.

Poisoning VS Code packages

Glassworm first surfaced in October 2025, when defensive researchers noticed a cluster of malicious extensions that impersonated legitimate projects using minor variations of names and metadata. The initial activity demonstrated a clear supply-chain attack pattern: publish an innocuous extension shell, wait for it to be accepted by the marketplace, then push an update that converts the benign artifact into an active malware loader.

In its earliest stages, the campaign relied heavily on textual obfuscation, specifically invisible Unicode characters and name spoofing; however, it quickly evolved to include compiled binaries and networked implants, making detection and removal more complex.

Aside from impersonation, the adversary systematically abused marketplace trust mechanisms. The actors manipulated download counts and reviews (or created the appearance of them) to raise ranking and reduce the friction for discovery.

This is a distinct supply-chain trick: rather than attempting to compromise a popular existing package directly, the attackers created plausible-looking substitutes and then used platform mechanics to surface them as though they were popular, trusted items. The effect on developers is insidious because it turns ordinary package discovery into an attack vector.

At the technical level, Glassworm combines several complementary techniques that make it effective against developer environments:

• Obfuscation at the metadata and code level. Invisible Unicode characters in names and code make manual and automated reviews harder; the resulting confusion can allow dangerous payloads to slip through superficial checks.
• Multi-stage payload delivery. The extension initially appears harmless; a later update introduces compiled implants (recently Rust binaries) and scripts that execute in the developer's environment. Because updates are a normal part of the extension lifecycle, this stage change blends into expected behavior.
• Credential harvesting and lateral usefulness. By stealing tokens and credentials for GitHub, NPM, and OpenVSX, the malware enhances its value for both espionage and further supply-chain compromise, potentially allowing the operator to publish malicious updates to other packages under stolen accounts.
• Persistence and remote control. Deploying SOCKS proxies and HVNC clients turns developer machines into stepping stones and remote access points, allowing operators to tunnel traffic through legitimate hosts and to access graphical sessions without obvious indicators in shell logs.

Combined, these elements make Glassworm more than just a credential stealer; it functions as a small, opportunistic foothold platform that can be leveraged to expand access across ecosystems that depend on VS Code extensions.

Glassworm reveals a fundamental reality of modern software distribution: marketplaces and registries were designed for convenience and rapid collaboration, not as high-security chokepoints. Token rotations and takedowns, while necessary, are reactive measures.

Effective defenses require layered improvements: stricter publisher verification, higher-fidelity behavioral analysis of updates, heuristics that surface unusual packaging, including compiled binaries in extensions and Unicode anomalies, and better telemetry sharing so that downstream users and integrators can quickly identify abnormal extension behavior.

Equally important is a cultural shift among developers and organizations. Developer environments should be treated as part of the production attack surface: workstations often hold keys, tokens, and SSH agents that provide immediate, high-value access if stolen.

Treating IDE extensions as potentially sensitive supply-chain dependencies, and applying the same vetting as for remote libraries in CI/CD, will reduce the blast radius of campaigns like Glassworm's.