Glassworm third-wave malicious VS Code packages
Malware Activity
Summary
Hide ▲
Show ▼
The Glassworm malware has returned in a third wave of malicious VS Code marketplace packages, expanding exposure for developers who install extensions from OpenVSX and the Microsoft Visual Studio Marketplace. The packages are designed to steal GitHub, npm, and OpenVSX accounts and to harvest cryptocurrency wallet data. They also add SOCKS proxy and HVNC capabilities, increasing the risk of stealthy remote access.
Related Happenings
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
Vpmdhaj npm preinstall credential-harvest campaign
Campaign
H score40
First: 29.05.2026 12:11
Last: 29.05.2026 12:11
Sources 1
About this happening:
A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Vpmdhaj npm preinstall credential-harvest campaign
CampaignAbout this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Timeline
-
01.12.2025 23:08 2 articles · 7mo ago
Glassworm returns in a third wave with Rust implants
Technical Analysis UpdateOn December 1, Glassworm was described as returning in a third wave across OpenVSX and the Microsoft Visual Studio Marketplace with 24 new packages, broader targeting of tools and frameworks such as Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue, and a newer payload that uses Rust-based implants alongside invisible Unicode tricks, SOCKS proxy routing, and HVNC for stealthy remote access; OpenVSX had also said the incident was fully contained after rotating compromised access tokens.
Show sources
- Glassworm malware returns in third wave of malicious VS Code packages — www.bleepingcomputer.com — 01.12.2025 23:08
- GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools — thehackernews.com — 02.12.2025 17:01
-
20.10.2025 03:00 1 articles · 8mo ago
Glassworm first documented with hidden Unicode code
Initial DisclosureKoi Security first documented Glassworm on October 20 after finding malicious VS Code packages that used invisible Unicode characters to hide their code from review and lure developers into installing extensions that could steal GitHub, npm, and OpenVSX accounts and cryptocurrency wallet data.
Show sources
- Glassworm malware returns in third wave of malicious VS Code packages — www.bleepingcomputer.com — 01.12.2025 23:08