By ByteBot
GlassWorm malware has returned for the third time, infecting 24 new VSCode extensions across OpenVSX and Microsoft marketplaces in December 2025. The self-propagating worm uses invisible Unicode characters to hide malicious code from developers and security scanners, while leveraging an unkillable blockchain-based command and control system. Despite repeated removal efforts since October, the malware persists—and millions of VSCode developers remain at risk.
Code That Literally Disappears
GlassWorm’s most shocking innovation is its invisibility. The malware uses Unicode variation selectors and Private Use Area characters to inject code that appears as blank lines in VSCode, GitHub diffs, and code reviews. Security researchers at Koi Security discovered the technique in October: “The malware isn’t obfuscated—it’s literally invisible to human eyes and most automated scanners.”
This breaks a fundamental security assumption. Developers reviewing extension code see nothing unusual. GitHub’s diff viewer shows whitespace. However, the JavaScript interpreter executes hidden instructions perfectly. Even experienced developers conducting manual code reviews can’t detect the threat.
Three Waves, Zero Solutions
The timeline exposes marketplace security failures. The first wave hit October 17, 2025, compromising seven OpenVSX extensions with 35,800 installations. OpenVSX and Microsoft removed the malicious code by October 21. GlassWorm returned in November with new extensions. Now December brings the third wave: 24 malicious extensions across both marketplaces, still active.
The pattern is clear. Takedowns don’t work. Attackers create new publisher accounts, submit variations with slight differences, and the malware spreads again. Additionally, with over 100 million VSCode users globally, the attack surface is massive.
Why This Malware Can’t Be Killed
Traditional malware relies on domains or servers that can be seized. In contrast, GlassWorm uses the Solana blockchain as its primary command and control infrastructure. Commands are stored in transaction memos—immutable, decentralized, impossible to take down. Fluid Attacks notes that “blockchain transactions are permanent. There is no central hosting provider or infrastructure that can be shut down.”
When infected extensions check in, they search for transactions from a hardcoded wallet address, extract a JSON payload with Base64-encoded URLs, and download the next stage. If authorities block one payload URL, attackers post a new transaction with a different link. Cost? Pennies. Furthermore, Google Calendar serves as backup C&C, hiding commands in event titles.
This is unkillable malware infrastructure.
Credential Theft and Self-Propagation
Once installed, GlassWorm harvests NPM tokens, GitHub credentials, OpenVSX keys, and Git access. Subsequently, it drains 49 different cryptocurrency wallets. It deploys SOCKS proxy servers to route malicious traffic through victim machines and installs remote access tools.
However, the worm’s defining characteristic is autonomous replication. Using stolen credentials, GlassWorm compromises additional extensions and packages, creating exponential growth. Every new victim becomes an infection vector. This isn’t just a supply chain attack—it’s a self-propagating worm.
Earlier research by Wiz revealed over 550 leaked secrets embedded in VSCode extensions, including 100+ publishing tokens. Consequently, GlassWorm exploits exactly this weakness.
What Developers Should Do Now
If you use VSCode, audit your installed extensions immediately. Remove anything suspicious or rarely used. Check for abnormal network activity. Extensions like codejoy-vscode-extension, vscode-theme-seti-folder, and rust-doc-viewer were compromised in previous waves.
Rotate all credentials: GitHub tokens, NPM keys, OpenVSX accounts, Git credentials. Enable two-factor authentication on every developer account. If you detect any indicators of compromise, assume full breach. Your credentials are likely stolen, crypto wallets may be drained, and your machine could be serving as a proxy for criminal activity.
The broader question remains unanswered: Can extension marketplaces be secured? Microsoft added secret scanning and pre-publication checks. OpenVSX revoked compromised tokens. Nevertheless, GlassWorm keeps returning. Reactive security isn’t working. The industry needs extension sandboxing, mandatory code signing, and zero-trust architecture for developer tools.
Until then, every extension is a potential threat.
