Invisible Code Worm Infects Thousands of Developer Systems Through VS Code Extensions

by Alvarez Jordan • 4 min read • Updated: November 2, 2025
Invisible Code Worm Infects Thousands of Developer Systems Through VS Code Extensions - Professional coverage

Stealthy Malware Campaign Targets Development Environments

A sophisticated malware campaign targeting Visual Studio Code extensions has infected approximately 35,800 developer machines in what security researchers are calling an unprecedented supply chain attack. According to reports from Koi Security, the self-propagating worm, named “GlassWorm,” employs techniques that analysts suggest represent a major paradigm shift in malware sophistication.

Special Offer Banner

Industrial Monitor Direct offers top-rated quality inspection pc solutions featuring customizable interfaces for seamless PLC integration, endorsed by SCADA professionals.

Industrial Monitor Direct is the premier manufacturer of xeon pc solutions engineered with enterprise-grade components for maximum uptime, endorsed by SCADA professionals.

The malware was initially discovered on October 18 when researchers flagged suspicious behavioral changes in an extension called CodeJoy on the OpenVSX marketplace, an open-source alternative to Microsoft’s official extension repository. Sources indicate the extension had been compromised with malware that uses printable Unicode characters that don’t render in code editors, effectively making malicious code invisible to human reviewers.

Unprecedented Invisibility Technique

Koi Security CTO Idan Dardikman stated in a detailed blog post that the malware’s defining characteristic is its complete visual transparency. “The malware is invisible,” Dardikman wrote. “Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye.” This approach, which inspired the name GlassWorm, reportedly “completely breaks traditional code review” processes that security professionals have relied upon for years.

Researchers compared the campaign to previous malware operations affecting the NPM registry, particularly the Shai Hulud campaign that Koi also discovered. However, analysts suggest GlassWorm represents a significant evolution in attack methodology that could have far-reaching implications for software supply chain security.

Multi-Faceted Attack Capabilities

The investigation reportedly revealed an extensive set of malicious functionalities built into GlassWorm. The malware allegedly uses the Solana blockchain as its primary command and control (C2) mechanism with Google Calendar serving as a backup command server. According to the report, the worm harvests credentials from NPM, GitHub, and Git systems to enable further supply chain propagation and targets cryptocurrency wallets for financial gain.

Additional capabilities identified by researchers include deploying SOCKS proxy servers to transform infected developer machines into extended C2 infrastructure and installing hidden virtual network computing (VNC) servers for complete remote access. The report states that these features enable the malware to create extensive criminal networks using compromised development workstations.

Worm-Like Propagation Mechanism

GlassWorm initially infected several extensions on October 17, with three reportedly still actively distributing malware despite cleanup efforts. Dardikman told Dark Reading that while four compromised extensions have been updated to clean versions, their malicious counterparts remain available for download. The malware has also spread beyond OpenVSX to Microsoft’s official VS Code marketplace, though Microsoft quickly removed the infected extension after being notified.

The worm’s propagation method represents one of its most dangerous aspects, according to analysts. By using stolen credentials from NPM, GitHub, OpenVSX, and Git systems, GlassWorm can compromise additional packages and extensions, turning “each new victim into an infection vector” in what security professionals describe as a sophisticated supply chain attack.

Criminal Infrastructure Network

Perhaps the most concerning aspect of GlassWorm is its final stage module called “ZOMBI,” which reportedly transforms infected developer workstations into nodes within a criminal infrastructure network. This gives attackers free proxy networks with extensive reach throughout the software development ecosystem, potentially affecting countless downstream applications and services.

This development comes amid broader industry developments highlighting increasing software supply chain vulnerabilities. Recent technology incidents have demonstrated how attackers are weaponizing trust in corporate systems, with related innovations in attack methodology emerging regularly.

Mitigation and Response Recommendations

Organizations that identify indicators of compromise should assume they have been fully compromised, with credentials likely stolen and cryptocurrency wallets potentially drained. According to Dardikman, infected machines may already be serving as SOCKS proxies for criminal activity.

Security professionals recommend that organizations take immediate action for any compromised systems, including:

  • Rotating all secrets, including NPM tokens, GitHub tokens, OpenVSX and VSCode tokens, and all passwords
  • Formatting infected machines to ensure complete malware removal
  • Conducting thorough security audits of all development environments and extension sources

The emergence of GlassWorm occurs alongside other market trends affecting digital infrastructure, including incidents that test gaming infrastructure resilience. As the technology landscape evolves, security researchers warn that attackers continue to develop increasingly sophisticated methods, with some groups even exploring ambitious hardware roadmap exploitation techniques.

Security analysts suggest that the GlassWorm campaign represents a significant escalation in software supply chain attacks, demonstrating that no code repositories or marketplaces are safe from determined threat actors employing increasingly sophisticated obfuscation and propagation techniques.

This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.

Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.

Related Posts

Echo's $35M Bet: Rebuilding the Cloud's Broken Foundation - Professional coverage
Echo’s $35M Bet: Rebuilding the Cloud’s Broken Foundation

An Israeli startup called Echo just landed $35 million to fix a critical security flaw at the base of modern cloud apps. Their plan? Use AI agents to rebuild container images from scratch, eliminating vulnerabilities before they’re even deployed.

Double VPN Services Offer Enhanced Privacy at Speed Cost, Ex - Enhanced Privacy Protection Through Multiple Servers As online
Double VPN Services Offer Enhanced Privacy at Speed Cost, Experts Report

Cybersecurity experts indicate double VPN services create multiple encryption layers for heightened privacy protection. However, analysts report these advanced networks can reduce internet speeds by up to half compared to standard VPN connections.

Enhanced Privacy Protection Through Multiple Servers

As online privacy concerns grow, cybersecurity analysts report increasing interest in double VPN services that route internet traffic through multiple encrypted servers. Sources indicate these multi-hop connections provide an additional layer of protection for users handling sensitive information or operating in high-risk environments.

Leave a Reply

Your email address will not be published. Required fields are marked *