GlassWorm malware targets OpenVSX, VS Code registries
Summary
Hide ▲
Show ▼
A self-spreading malware named GlassWorm is actively targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces. The malware has been installed an estimated 35,800 times and uses invisible Unicode characters to hide its malicious code. It spreads using stolen account information and employs the Solana blockchain for command-and-control, making it difficult to take down. The malware steals credentials for various developer accounts and cryptocurrency wallet data. It also deploys a SOCKS proxy and VNC clients for remote access. The final payload, ZOMBI, turns infected systems into nodes for criminal activities. The campaign involves at least 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace. The full impact includes 35,800 active installations, with some extensions still available for download at the time of reporting.
Timeline
-
20.10.2025 19:13 1 articles · 23h ago
GlassWorm malware campaign targets OpenVSX and VS Code registries
A self-spreading malware named GlassWorm is actively targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces. The malware uses invisible Unicode characters to hide its malicious code and has been installed an estimated 35,800 times. It steals credentials and cryptocurrency wallet data, deploys a SOCKS proxy, and installs VNC clients for remote access. The final payload, ZOMBI, turns infected systems into nodes for criminal activities. The campaign involves at least 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace. The malware uses the Solana blockchain for command-and-control, making it difficult to take down.
Show sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
Information Snippets
-
GlassWorm uses invisible Unicode characters to hide malicious code.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
The malware steals credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
GlassWorm deploys a SOCKS proxy and VNC clients for remote access.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
The final payload, ZOMBI, turns infected systems into nodes for criminal activities.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
The malware uses the Solana blockchain for command-and-control, making takedowns difficult.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
Google Calendar and BitTorrent’s Distributed Hash Table (DHT) are used for payload distribution and command distribution.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
At least 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace were compromised.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
The malware has been installed an estimated 35,800 times.
First reported: 20.10.2025 19:131 source, 1 articleShow sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13