Find notable cyber news and cases, enriched with sources, timelines, and signals.

Glassworm third-wave malicious VS Code packages

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

The Glassworm malware has returned in a third wave of malicious VS Code marketplace packages, expanding exposure for developers who install extensions from OpenVSX and the Microsoft Visual Studio Marketplace. The packages are designed to steal GitHub, npm, and OpenVSX accounts and to harvest cryptocurrency wallet data. They also add SOCKS proxy and HVNC capabilities, increasing the risk of stealthy remote access.

Related Happenings

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
H score40 First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Timeline

  1. 01.12.2025 23:08 2 articles · 7mo ago

    Glassworm returns in a third wave with Rust implants

    Technical Analysis Update

    On December 1, Glassworm was described as returning in a third wave across OpenVSX and the Microsoft Visual Studio Marketplace with 24 new packages, broader targeting of tools and frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue, and a newer payload that uses Rust-based implants alongside invisible Unicode tricks, SOCKS proxy routing, and HVNC for stealthy remote access; OpenVSX had also said the incident was fully contained after rotating compromised access tokens.

    Show sources
  2. 20.10.2025 03:00 1 articles · 8mo ago

    Glassworm first documented with hidden Unicode code

    Initial Disclosure

    Koi Security first documented Glassworm on October 20 after finding malicious VS Code packages that used invisible Unicode characters to hide their code from review and lure developers into installing extensions that could steal GitHub, npm, and OpenVSX accounts and cryptocurrency wallet data.

    Show sources