GlassWorm self-spreading malware in OpenVSX and VS Code marketplaces
Malware Activity
Summary
Hide ▲
Show ▼
GlassWorm is a self-spreading malware wave in the OpenVSX and Microsoft Visual Studio marketplaces, and its estimated 35,800 installations put developer systems and extension ecosystems at immediate risk. It hides malicious code with invisible Unicode characters, steals GitHub, npm, and OpenVSX credentials, and can convert infected machines into SOCKS proxy and VNC remote-access nodes. Its Solana-based command-and-control and fallback delivery paths make the infection harder to remove and disrupt.
Related Happenings
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Glassworm botnet command-and-control disruption
Malware Activity
H score10
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Timeline
-
20.10.2025 19:13 1 articles · 8mo ago
GlassWorm compromises seven OpenVSX extensions
Exploitation ObservedSeven OpenVSX extensions were compromised on October 17, 2025, and more infections followed over the next couple of days on OpenVSX and VS Code. GlassWorm hides malicious code with invisible Unicode characters and can spread by abusing stolen account information to reach additional extensions.
Show sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
20.10.2025 19:13 2 articles · 8mo ago
Koi Security details the ongoing GlassWorm campaign
Technical Analysis UpdateKoi Security describes an ongoing supply-chain attack against OpenVSX and Microsoft Visual Studio/VS Code marketplaces that has reached an estimated 35,800 installations. The campaign steals GitHub, npm, and OpenVSX credentials, deploys SOCKS proxy and HVNC access, and uses Solana blockchain with Google Calendar and a direct IP channel for command-and-control and payload delivery.
Show sources
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13