Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm self-spreading malware in OpenVSX and VS Code marketplaces

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

GlassWorm is a self-spreading malware wave in the OpenVSX and Microsoft Visual Studio marketplaces, and its estimated 35,800 installations put developer systems and extension ecosystems at immediate risk. It hides malicious code with invisible Unicode characters, steals GitHub, npm, and OpenVSX credentials, and can convert infected machines into SOCKS proxy and VNC remote-access nodes. Its Solana-based command-and-control and fallback delivery paths make the infection harder to remove and disrupt.

Related Happenings

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Timeline

  1. 20.10.2025 19:13 1 articles · 7mo ago

    GlassWorm compromises seven OpenVSX extensions

    Exploitation Observed

    Seven OpenVSX extensions were compromised on October 17, 2025, and more infections followed over the next couple of days on OpenVSX and VS Code. GlassWorm hides malicious code with invisible Unicode characters and can spread by abusing stolen account information to reach additional extensions.

    Show sources
    Open in new tab
  2. 20.10.2025 19:13 2 articles · 7mo ago

    Koi Security details the ongoing GlassWorm campaign

    Technical Analysis Update

    Koi Security describes an ongoing supply-chain attack against OpenVSX and Microsoft Visual Studio/VS Code marketplaces that has reached an estimated 35,800 installations. The campaign steals GitHub, npm, and OpenVSX credentials, deploys SOCKS proxy and HVNC access, and uses Solana blockchain with Google Calendar and a direct IP channel for command-and-control and payload delivery.

    Show sources
    Open in new tab