GlassWorm Malware - Open VSX and GitHub Supply Chain Attacks
Category:Malware & Ransomware
GlassWorm malware compromises Visual Studio Code extensions in Open VSX and GitHub, turning the developer ecosystem into a software supply chain attack vector mapped to T1195 (Supply Chain Compromise) and T1552 (Credentials from Password Stores). The campaign infects VS Code extensions with invisible Unicode JavaScript that remains visually blank while executing credential theft and data exfiltration. Attackers use a Solana blockchain transaction to dynamically update command-and-control endpoints, making takedown harder. Koi Security reports tens of thousands of downloads across Open VSX and GitHub, with compromised extensions propagating to new projects.
CORTEX Protocol Intelligence Assessment
Business Impact: GlassWorm threatens software supply chains by hijacking developer tools, enabling credential theft for Git, NPM, and cryptocurrency wallets. Technical Context: GlassWorm relies on invisible Unicode JavaScript embedded in extensions and GitHub commits, pulling payloads via Solana-based C2 and persisting through database-stored options. It aligns with T1195, T1552, and T1059.
Strategic Intelligence Guidance
- Audit all VS Code and Open VSX extensions in enterprise environments.
- Harden CI/CD and developer endpoints by enforcing least-privilege access.
- Deploy EDR tuned to detect invisible Unicode scripts and anomalous processes.
- Establish a software supply chain governance program for IDE extensions.
Vendors
Threats
Targets
Intelligence Source: GlassWorm Malware - Open VSX and GitHub Supply Chain Attacks | Nov 11, 2025