Full Report
The GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times. [...]
Analysis Summary
# Tool/Technique: GlassWorm Malware Campaign
## Overview
GlassWorm is a malware campaign that utilizes malicious VSCode and OpenVSX marketplace extensions to steal sensitive information, including credentials for GitHub, NPM, and OpenVSX accounts, as well as cryptocurrency wallet data. The campaign notably employs invisible Unicode characters to obfuscate malicious JavaScript code within the extension files, allowing it to evade initial defenses. The campaign has returned using the same core infrastructure but with updated Command and Control (C2) endpoints.
## Technical Details
- Type: Malware Family/Campaign
- Platform: VSCode extension marketplace (VS Code and OpenVSX)
- Capabilities: Credential harvesting (GitHub, NPM, OpenVSX), cryptocurrency wallet data exfiltration, supply chain compromise via marketplace extensions.
- First Seen: Last month (relative to the article date of Nov 8, 2025).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1588.002 - Obtain Capabilities: Compromise Software Supply Chain
- T1589.003 - Gather Victim Identity: Email Accounts (Implied, harvesting accounts is primary goal)
- **TA0005 - Credential Access**
- T1555.003 - Credentials from Web Browsers (Implied, wallet data implies web interaction)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Use of C2 infrastructure via Solana transactions/other P2P methods)
## Functionality
### Core Capabilities
- **Malicious Extension Delivery:** Infection vector is through seemingly legitimate but malicious VSCode extensions hosted on the OpenVSX marketplace.
- **Credential Theft:** Primary goal is stealing account credentials for software development platforms (GitHub, NPM, OpenVSX).
- **Cryptocurrency Data Exfiltration:** Specifically targets cryptocurrency wallet data across 49 different extensions initially implicated.
### Advanced Features
- **Unicode Obfuscation:** Uses invisible Unicode characters that render as blanks but execute as malicious JavaScript code, effectively bypassing superficial marketplace security checks.
- **C2 Updates:** Returns with updated Command-and-Control (C2) endpoints, indicating active maintenance and adaptation to security responses.
- **Solana Transaction Reliance:** Leverages Solana transactions to fetch payloads or communicate C2 instructions.
## Indicators of Compromise
- File Hashes: (Not specified in the article)
- File Names: Malicious extensions impersonating legitimate tools:
- `ai-driven-dev.ai-driven-dev`
- `adhamu.history-in-sublime-merge`
- `yasuyuky.transient-emacs`
- Registry Keys: (Not specified in the article)
- Network Indicators: Uses updated Command-and-Control (C2) endpoints; communications involve Solana infrastructure. (No specific URLs/IPs provided for defanging).
- Behavioral Indicators: Execution of obfuscated JavaScript payloads triggered upon extension installation/use; communication potentially involving Solana transaction metadata.
## Associated Threat Actors
- The attacker is believed to be **Russian-speaking**.
- The threat actor utilizes the **RedExt open-source C2 browser extension framework**.
## Detection Methods
- Signature-based detection: (Not detailed, but focus should be on detecting the known malicious extension identifiers).
- Behavioral detection: Monitoring for execution of hidden JavaScript within extension source code environments, particularly those involving hidden Unicode characters. Analyzing network traffic for communications routed through Solana infrastructure associated with marketplace extensions.
- YARA rules: (Not provided in the article, but could be developed to target the specific Unicode obfuscation pattern or required C2 framework artifacts).
## Mitigation Strategies
- **Marketplace Security:** OpenVSX was forced to rotate access tokens for breached accounts (Mitigation already partially applied by the marketplace).
- **Supply Chain Vigilance:** Organizations and users should exercise extreme caution when installing extensions from less mainstream marketplaces like OpenVSX or even the official VS Code marketplace, especially those with high initial download counts but low long-term reputation.
- **Code Review:** For critical internal extensions, manual review or enhanced automated scanning for obfuscated code patterns (like invisible Unicode) is necessary.
## Related Tools/Techniques
- **RedExt:** The identified C2 browser extension framework used by the operators.
- **Supply Chain Compromise:** Similar campaigns targeting developer tools and marketplaces (e.g., previous instances impacting VS Code/OpenVSX).