A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace.
But GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node.
This is one of the most sophisticated supply chain attacks we've ever analyzed. And it's spreading right now.
GlassWorm - puts millions at risk
What GlassWorm does to infected systems:
Harvests NPM, GitHub, and Git credentials for supply chain propagation
Targets 49 different cryptocurrency wallet extensions to drain funds
Deploys SOCKS proxy servers, turning developer machines into criminal infrastructure
Installs hidden VNC servers for complete remote access
Uses stolen credentials to compromise additional packages and extensions, spreading the worm further
... continue reading