Researchers disclosed on January 31, 2026, a supply chain attack called GlassWorm that has been spreading through the Open VSX marketplace for VS Code extensions since at least October 2025. The malware is self-propagating—infected developers unknowingly spread it further when they publish their own extensions—and uses the Solana blockchain for command-and-control infrastructure that cannot be taken down.
“This is one of the most sophisticated supply chain attacks we’ve ever analyzed,” according to Koi Security researchers.
Incident overview
| Attribute | Details |
|---|---|
| Campaign name | GlassWorm |
| First observed | October 2025 |
| Platforms affected | Open VSX, Visual Studio Marketplace |
| Target OS | macOS (primary), Windows (secondary) |
| C2 infrastructure | Solana blockchain + Google Calendar |
| Primary payload | Credential stealer, cryptojacker |
| Self-propagation | Yes (worm behavior) |
| Discovery | Koi Security |
Attack scope
| Metric | Count |
|---|---|
| Open VSX infected downloads | 35,800+ |
| VSCode Marketplace downloads | 22,000+ |
| Malicious extensions (second wave) | 24 |
| Targeted crypto wallet extensions | 49 |
| First observed | October 2025 |
| Latest activity | February 2026 |
The attack continues to resurface. On January 30, 2026, four established Open VSX extensions from the legitimate publisher “oorzc” had malicious versions pushed after the account was compromised—a significant escalation from previous typosquatting tactics.
Account compromise details
| Attribute | Details |
|---|---|
| Compromised account | oorzc |
| Account age | 2+ years (established, trusted) |
| Clean extensions | Previously safe for over 2 years |
| Attack method | Stolen/leaked publishing credentials |
| Extensions affected | 4 popular packages |
This represents a shift from typosquatting to trusted-publisher compromise—a more dangerous attack vector because users have no reason to suspect extensions from established developers.
Attack timeline
| Date | Event |
|---|---|
| October 17, 2025 | Seven OpenVSX extensions compromised with initial GlassWorm payload |
| October 19, 2025 | Ten extensions still actively distributing malware |
| Late 2025 | Campaign pivots from Windows to macOS targeting |
| December 2025 | Second wave: 24 extensions impersonating popular tools (Flutter, React, Tailwind, Vim, Vue) |
| January 30, 2026 | Legitimate “oorzc” developer account compromised |
| January 31, 2026 | Koi Security publishes full technical analysis |
How GlassWorm spreads
The malware hides inside extensions offering real functionality—code formatters, themes, language support. Once installed, the extension:
- Steals developer credentials — SSH keys, cloud tokens, Git credentials, NPM tokens, GitHub tokens
- Injects malicious code into any VS Code extension projects on the system
- Establishes persistence that survives VS Code restarts
- Harvests OpenVSX access tokens — Uses stolen credentials to publish infected packages automatically
When the developer publishes their now-infected extension, the cycle repeats. Each victim becomes a new infection vector.
Self-propagation mechanism
| Phase | Action |
|---|---|
| 1 | Malicious extension installed by victim |
| 2 | Credential harvesting (NPM, GitHub, OpenVSX tokens) |
| 3 | Scans system for VS Code extension projects |
| 4 | Injects malicious loader into extension activate() entry points |
| 5 | Victim publishes infected extension to marketplace |
| 6 | New victims download infected extension |
| 7 | Cycle repeats autonomously |
Solana blockchain C2
GlassWorm uses the Solana blockchain as a dead-drop for C2 addresses. The malware:
- Queries transactions from a hardcoded wallet address
- Reads the memo field (arbitrary text attached to blockchain transactions)
- Extracts updated C2 server locations from the memo
- Falls back to Google Calendar API if blockchain lookup fails
C2 Wallet: 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2
Why blockchain C2 is dangerous
| Factor | Impact |
|---|---|
| Immutability | Transactions cannot be deleted or modified |
| Censorship resistance | No domain registrar or hosting provider to contact |
| Pseudonymity | Wallet addresses harder to attribute than domains |
| Legitimate traffic | Solana RPC requests blend with normal developer activity |
| Backup mechanism | Google Calendar provides redundant C2 path |
Triple-layered C2 infrastructure
GlassWorm uses a resilient multi-channel C2 architecture:
| Layer | Method | Purpose |
|---|---|---|
| Primary | Direct IP (217.69.3.218) | Fast, reliable communication |
| Secondary | Solana blockchain memos | Takedown-resistant instruction delivery |
| Tertiary | Google Calendar events | Backup command channel |
This multi-pronged approach ensures attackers maintain control even if one or two channels are disrupted.
Invisible code obfuscation
GlassWorm uses stealth techniques researchers hadn’t seen in the wild before: invisible Unicode characters that make malicious code literally disappear from code editors. The malicious payload is present in the file but invisible to developers reviewing the code.
| Technique | Description |
|---|---|
| Zero-width characters | Payload encoded using invisible Unicode |
| Editor blindness | Code appears clean in VS Code, GitHub, standard review |
| Tooling evasion | Many AST parsers and linters don’t flag invisible chars |
Platform evolution
The threat actor pivoted from Windows-focused activity to macOS:
| Windows (original) | macOS (evolved) |
|---|---|
| PowerShell execution | AppleScript execution |
| Registry persistence | LaunchAgents persistence |
| Standard infostealers | Atomic Stealer variants |
Target platform and data
The payloads now primarily target macOS (both Apple Silicon and Intel). Data exfiltrated includes:
| Category | Specific targets |
|---|---|
| Browser data | Logins, cookies, history, wallet extensions |
| Cryptocurrency | 49 wallet browser extensions, Ledger Live, Trezor Suite |
| System credentials | iCloud Keychain databases, Safari cookies |
| Developer secrets | ~/.aws, ~/.ssh, NPM _authToken, GitHub tokens |
| VPN configs | FortiClient VPN configurations |
| Notes | Apple Notes content |
Trojanized hardware wallet apps
The malware now checks for hardware cryptocurrency wallet applications like Ledger Live and Trezor Suite and replaces them with trojanized versions—a significant escalation targeting high-value crypto holders.
Advanced capabilities
Beyond credential theft, GlassWorm provides attackers with:
| Capability | Risk |
|---|---|
| SOCKS proxy deployment | Victim machines become criminal infrastructure |
| Hidden VNC server | Complete remote access without user knowledge |
| Keychain password theft | System-level credential access on macOS |
| Persistent backdoor | Survives VS Code restarts and updates |
Technical indicators
| Indicator | Value |
|---|---|
| C2 Server | 217.69.3[.]218 |
| Secondary C2 | 140.82.52[.]31:80/wall |
| Solana Wallet | 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2 |
Behavioral indicators
| Indicator | Detection method |
|---|---|
| Outbound Solana RPC connections | Network monitoring from dev machines |
| Google Calendar API calls | Unexpected Calendar access from VS Code |
Extension activate() modifications | File integrity monitoring |
| New LaunchAgents | macOS persistence monitoring |
| Invisible Unicode in source | Specialized code review tools |
Attribution hints
The malware includes locale checks that prevent execution on systems configured for Russian language, a characteristic consistent with Russian-speaking cybercriminal groups who avoid targeting domestic systems to reduce law enforcement attention.
What developers should do
Immediate actions
| Priority | Action |
|---|---|
| Critical | Audit installed extensions—remove anything from unrecognized publishers |
| Critical | Check extension source code—inspect activate() entry points |
| High | Prefer official Visual Studio Marketplace over Open VSX when possible |
| High | Rotate credentials if suspicious extensions were installed (SSH keys, cloud tokens, NPM, Git) |
| High | Verify hardware wallet applications haven’t been modified |
Detection
| Monitor for | Indicates |
|---|---|
| Connections to C2 IPs listed above | Active infection |
| Unexpected Solana RPC endpoint connections | C2 communication |
| Extension update histories with unexpected version bumps | Compromise |
| New LaunchAgents referencing VS Code | Persistence mechanism |
| Outbound traffic during VS Code sessions | Data exfiltration |
Platform response
Open VSX removes malicious extensions as they’re reported, but new variants continue to appear. The January 30 incident—where an established, trusted publisher account was compromised—demonstrates that even careful extension vetting can be defeated by account takeovers.
Eclipse Foundation response
The Open VSX security team (operated by Eclipse Foundation) took the following actions:
| Action | Status |
|---|---|
| Unauthorized publishing confirmed | Complete |
| Compromised tokens revoked | Complete |
| Malicious releases removed | Complete |
| Clean versions restored | Available |
| Account recovery | In progress |
As of the latest update, all available versions of the affected “oorzc” extensions are clean.
Security gaps
| Issue | Impact |
|---|---|
| No mandatory 2FA for publishers | Account takeover enables trusted-publisher abuse |
| Reactive removal only | Malware distributed during detection gap |
| No code signing | Difficult to verify extension integrity |
| Limited automated analysis | Invisible Unicode and blockchain C2 evade detection |
Recommendations for organizations
| Priority | Action |
|---|---|
| Critical | Implement extension allowlisting for developer environments |
| High | Monitor for Solana RPC and unusual API traffic from dev machines |
| High | Deploy file integrity monitoring on VS Code extension directories |
| Medium | Require 2FA for all developer marketplace accounts |
| Ongoing | Security awareness training on supply chain risks |
Context
GlassWorm represents a new evolution in supply chain attacks: self-propagating malware that uses blockchain infrastructure for takedown-resistant C2 and invisible code obfuscation to evade review. The combination of worm behavior, trusted-publisher compromise, and crypto-targeting payloads makes this particularly dangerous for organizations with developer populations.
Developers working with VS Code extensions should treat the supply chain as hostile and verify extensions at every update, not just initial installation.
Incident response guidance
If you installed any extension from the IOC list:
| Step | Action |
|---|---|
| 1 | Treat as credential exposure event |
| 2 | Remove the malicious extension |
| 3 | Delete on-disk artifacts |
| 4 | Rotate all developer credentials (SSH, NPM, GitHub, Git) |
| 5 | Verify hardware wallet applications |
| 6 | Check for LaunchAgents (macOS) or scheduled tasks (Windows) |
| 7 | Scan for connections to known C2 IPs |
Organizations should also consider disabling auto-update for extensions and implementing a centralized allowlist for approved packages.