Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm malware returning via new VSCode extensions

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware has returned through three new VSCode extensions, renewing risk to extension users and marketplace accounts. The new extensions have already been downloaded over 10,000 times, extending the malware's reach. GlassWorm uses Solana transactions to fetch payloads that target GitHub, NPM, and OpenVSX credentials, plus cryptocurrency wallet data. Its use of invisible Unicode obfuscation helps the malicious code slip past marketplace defenses and sustain distribution.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

Timeline

  1. 08.11.2025 18:17 2 articles · 6mo ago

    GlassWorm returns to OpenVSX with new VSCode extensions

    Initial Disclosure

    GlassWorm returned to OpenVSX with three new VSCode extensions, ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs, which had already been downloaded over 10,000 times. Koi Security says the campaign uses Solana transactions, invisible Unicode character obfuscation, updated command-and-control (C2) endpoints, and the RedExt open-source C2 browser extension framework to target GitHub, NPM, and OpenVSX credentials plus cryptocurrency wallet data, while Open VSX rotated access tokens for breached accounts, added security enhancements, and closed the incident.

    Show sources
    Open in new tab