GlassWorm malware returning via new VSCode extensions
Malware Activity
Summary
Hide ▲
Show ▼
The GlassWorm malware has returned through three new VSCode extensions, renewing risk to extension users and marketplace accounts. The new extensions have already been downloaded over 10,000 times, extending the malware's reach. GlassWorm uses Solana transactions to fetch payloads that target GitHub, NPM, and OpenVSX credentials, plus cryptocurrency wallet data. Its use of invisible Unicode obfuscation helps the malicious code slip past marketplace defenses and sustain distribution.
Related Happenings
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Timeline
-
08.11.2025 18:17 2 articles · 8mo ago
GlassWorm returns to OpenVSX with new VSCode extensions
Initial DisclosureGlassWorm returned to OpenVSX with three new VSCode extensions, ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs, which had already been downloaded over 10,000 times. Koi Security says the campaign uses Solana transactions, invisible Unicode character obfuscation, updated command-and-control (C2) endpoints, and the RedExt open-source C2 browser extension framework to target GitHub, NPM, and OpenVSX credentials plus cryptocurrency wallet data, while Open VSX rotated access tokens for breached accounts, added security enhancements, and closed the incident.
Show sources
- GlassWorm malware returns on OpenVSX with 3 new VSCode extensions — www.bleepingcomputer.com — 08.11.2025 18:17
- GlassWorm malware returns on OpenVSX with 3 new VSCode extensions — www.bleepingcomputer.com — 08.11.2025 18:17