GlassWorm campaign returns in repeated waves across extension marketplaces
Campaign
Summary
Hide ▲
Show ▼
GlassWorm is an ongoing supply-chain attack targeting developers through the OpenVSX and Microsoft Visual Studio Marketplace extension ecosystems. In the latest confirmed wave, the malware was installed an estimated 35,800 times across infected extensions, including OpenVSX packages and one Microsoft VS Code Marketplace extension. The payload hides malicious code with invisible Unicode characters, steals GitHub, npm, and OpenVSX credentials plus cryptocurrency wallet data, and spreads through stolen account access. The operators use Solana blockchain for command-and-control, with Google Calendar as a backup delivery path, while some compromised extensions were still available and the C2 and payload servers remained active at publication time.
Related Happenings
Glassworm botnet command-and-control disruption
Malware Activity
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
How related:
Working together, the three organizations managed to simultaneously take down all four of Glassworm's command-and-control (C2) channels, severing the operators from their infected machines and their ability to deliver new malicious payloads.
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityHow related: Working together, the three organizations managed to simultaneously take down all four of Glassworm's command-and-control (C2) channels, severing the operators from their infected machines and their ability to deliver new malicious payloads.
About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
How related:
GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium.
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityHow related: GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium.
About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deed RAT and TernDoor multi-wave deployment
Malware Activity
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
Deed RAT and TernDoor multi-wave deployment
Malware ActivityAbout this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...
Timeline
-
17.03.2026 23:42 4 articles · 2mo ago
GlassWorm expands supply-chain campaign across GitHub, npm, and VSCode/OpenVSX
Campaign Scope UpdateGlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Show sources
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX — www.bleepingcomputer.com — 17.03.2026 23:42
- Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware — thehackernews.com — 27.04.2026 14:23
- GlassWorm malware returns on OpenVSX with 3 new VSCode extensions — www.bleepingcomputer.com — 08.11.2025 18:17
- GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools — thehackernews.com — 02.12.2025 17:01
-
01.01.2026 17:18 4 articles · 4mo ago
Fourth GlassWorm wave targets macOS developers
Initial DisclosureA fourth GlassWorm wave targets macOS developers through malicious VSCode/OpenVSX extensions that deliver trojanized crypto wallet applications. The campaign uses an AES-256-CBC–encrypted payload embedded in compiled JavaScript, executes after a 15-minute delay, uses AppleScript and LaunchAgents for persistence on macOS, keeps a Solana blockchain-based C2 channel, attempts to steal GitHub, npm, OpenVSX, and Keychain credentials, and checks for Ledger Live and Trezor Suite to replace them with trojanized versions.
Show sources
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm attack targets macOS via compromised OpenVSX extensions — www.bleepingcomputer.com — 03.02.2026 00:04
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
02.11.2025 17:09 2 articles · 6mo ago
Open VSX rotates leaked access tokens after GlassWorm supply-chain abuse
Mitigation Patch UpdateThe Open VSX registry, developed under the Eclipse Foundation, rotated access tokens after developers accidentally leaked credentials in public repositories and threat actors used some of those tokens in the GlassWorm malware campaign. By October 21, all malicious extensions had been removed from the registry and the associated tokens were rotated or revoked, containing the incident with no ongoing impact.
Show sources
- Open VSX rotates access tokens used in supply-chain malware attack — www.bleepingcomputer.com — 02.11.2025 17:09
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00