CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GlassWorm malware targets OpenVSX, VS Code registries

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A self-spreading malware named GlassWorm is actively targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces. The malware has been installed an estimated 35,800 times and uses invisible Unicode characters to hide its malicious code. It spreads using stolen account information and employs the Solana blockchain for command-and-control, making it difficult to take down. The malware steals credentials for various developer accounts and cryptocurrency wallet data. It also deploys a SOCKS proxy and VNC clients for remote access. The final payload, ZOMBI, turns infected systems into nodes for criminal activities. The campaign involves at least 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace. The full impact includes 35,800 active installations, with some extensions still available for download at the time of reporting.

Timeline

  1. 20.10.2025 19:13 1 articles · 23h ago

    GlassWorm malware campaign targets OpenVSX and VS Code registries

    A self-spreading malware named GlassWorm is actively targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces. The malware uses invisible Unicode characters to hide its malicious code and has been installed an estimated 35,800 times. It steals credentials and cryptocurrency wallet data, deploys a SOCKS proxy, and installs VNC clients for remote access. The final payload, ZOMBI, turns infected systems into nodes for criminal activities. The campaign involves at least 11 extensions on OpenVSX and one on Microsoft’s VS Code Marketplace. The malware uses the Solana blockchain for command-and-control, making it difficult to take down.

    Show sources

Information Snippets