Full Report
The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue. GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm,
Analysis Summary
# Tool/Technique: GlassWorm Extensions (Supply Chain Compromise)
## Overview
GlassWorm is a supply chain attack campaign that distributes malicious code via compromised developer extensions in the Microsoft Visual Studio Marketplace and Open VSX registries. The campaign impersonates popular development frameworks (e.g., Flutter, React, Tailwind, Vim, Vue) to trick developers into installing malicious extensions. The ultimate goal involves credential harvesting (npm, Open VSX, GitHub, Git), cryptocurrency theft, and system co-option for further criminal activities.
## Technical Details
- Type: Malware Campaign / Malicious Software Distribution Technique
- Platform: Development Environments (VS Code), Targeting Windows and macOS systems via implants.
- Capabilities: Credential harvesting, cryptocurrency theft, command-and-control communication via blockchain, supply chain propagation.
- First Seen: October 2025 (current iteration spotted in December 2025)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supplychain: Compromise Software Supplychain
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Implied by harvesting Git/npm credentials)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Use of Solana blockchain for C2)
## Functionality
### Core Capabilities
- **Distribution:** Deploying 24 malicious VS Code extensions impersonating legitimate tools across VS Marketplace and Open VSX.
- **Deception:** Artificially inflating download counts to improve search rankings and appear trustworthy.
- **Execution Chain:** Malicious code is often activated immediately after extension initialization (`activate` context).
### Advanced Features
- **Rust-Based Implants:** Utilizing two platform-specific Rust implants packaged within extensions:
- Windows implant: `os.node` (DLL)
- macOS implant: `darwin.node` (Dynamic Library)
- **C2 Communication via Blockchain:** Retrieving C2 server details directly from a **Solana blockchain wallet address**.
- **Backup C2 Retrieval:** Parsing **Google Calendar events** as a fallback mechanism to locate the C2 address.
- **Next-Stage Payload:** Infected systems download an encrypted JavaScript file after establishing C2 contact.
- **Supply Chain Spreading:** Using harvested credentials to compromise *additional* packages and extensions, enabling worm-like propagation.
- **Evasion:** The campaign demonstrated the ability to update malicious code easily post-initial approval, evading marketplace filters, and utilizing the "invisible Unicode trick."
## Indicators of Compromise
- File Hashes: Information not provided in the text.
- File Names: `os.node` (Windows DLL), `darwin.node` (macOS Dynamic Library).
- Registry Keys: Not specified.
- Network Indicators: C2 is fetched from a Solana blockchain address or Google Calendar events (Defanged C2 examples cannot be provided as the source is dynamic).
- Behavioral Indicators: Installation of VS Code extensions impersonating popular frameworks; presence of Rust DLL/DYLIB files in environments related to VS Code execution; network beaconing to destinations resolved from blockchain data.
## Associated Threat Actors
- GlassWorm (Specific threat actor group name associated with this campaign)
## Detection Methods
- Signature-based detection: Detection for specific file names (`os.node`, `darwin.node`) associated with the implants.
- Behavioral detection: Monitoring for extensions that execute code immediately upon activation or attempt to communicate with external resources resolved via non-standard channels (e.g., blockchain addresses).
- YARA rules: Not provided, but could target the unique structure of the Rust implants or the obfuscation techniques used.
## Mitigation Strategies
- **Source Verification:** Implement strict verification processes for extensions installed from VS Marketplace and Open VSX, prioritizing official publishers or well-established maintainers.
- **Download Scrutiny:** Be wary of extensions with high download counts that are newly published or impersonate popular software.
- **Principle of Least Privilege:** Restrict the permissions granted to development tools and extensions where possible.
- **Monitor Network Traffic:** Deploy Network Detection and Response (NDR) to monitor for unusual outbound connections generated by developer tools, especially those seemingly resolving hostnames from cryptocurrency transaction metadata or calendar APIs.
## Related Tools/Techniques
- Previous GlassWorm iterations utilized exploitation of npm, Open VSX, and GitHub credentials.
- Supply chain compromise targeting developer ecosystems (e.g., Sonatype reports on similar extension abuse).