Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

GlassWorm Malware Campaign Expands: A Threat to the Open VS Code Ecosystem


Threat actors have discovered a new way to spread malware using the GlassWorm campaign, targeting the Visual Studio Code (VS Code) ecosystem with three malicious extensions. The latest development highlights the need for users to prioritize security and verify the authenticity of any extension before adding it to their system.

  • The GlassWorm campaign has been spotted spreading its tentacles into the Visual Studio Code (VS Code) ecosystem.
  • The malicious actors have leveraged three popular extensions to harvest sensitive information from unsuspecting users.
  • The threat actors use invisible Unicode characters to hide malicious code in code editors, evading detection and compromising additional extensions.
  • A fresh transaction has been posted on the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload.
  • Researchers have identified a partial list of victims spanning multiple regions, including a major government entity from the Middle East.
  • The threat actor is believed to be Russian-speaking and uses an open-source browser extension C2 framework named RedExt as part of their infrastructure.
  • Users are advised to prioritize security and verify the authenticity of any extension before adding it to their system.


    • GlassWorm, a malicious campaign that has been making waves in the cybersecurity community, has once again been spotted spreading its tentacles into the Visual Studio Code (VS Code) ecosystem. This time around, the malicious actors have leveraged three popular extensions - ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs - to harvest sensitive information from unsuspecting users.

    The GlassWorm campaign, first documented by Koi Security last month, has been making headlines for its ability to use invisible Unicode characters to hide malicious code in code editors. This tactic allows the malware to evade detection and compromise additional extensions, creating a self-replication cycle that enables it to spread like a worm.

    According to recent findings from Koi Security, the threat actors have successfully posted a fresh transaction on the Solana blockchain, providing an updated C2 (command-and-control) endpoint for downloading the next-stage payload. This move demonstrates the resilience of blockchain-based C2 infrastructure and highlights the need for users to remain vigilant in their online activities.

    Furthermore, researchers have identified an endpoint that was inadvertently exposed on the attacker's server, uncovering a partial list of victims spanning the U.S., South America, Europe, and Asia. This includes a major government entity from the Middle East, further emphasizing the severity of this threat.

    Additionally, analysis has revealed keylogger information supposedly from the attacker's own machine, which has yielded some clues as to GlassWorm's provenance. The threat actor is believed to be Russian-speaking and uses an open-source browser extension C2 framework named RedExt as part of their infrastructure.

    These findings are a stark reminder that cybersecurity threats can come in many forms and can have far-reaching consequences. As the GlassWorm campaign continues to evolve, it is essential for users to stay informed and take proactive measures to protect themselves.

    In response to the latest developments, Open VSX has identified and removed all malicious extensions, rotated or revoked associated tokens as of October 21, 2025. However, this may not be enough to prevent further exploitation, highlighting the need for continuous vigilance in the face of emerging threats.

    The incident serves as a wake-up call for users to exercise caution when installing extensions on their VS Code installations. It is crucial to prioritize security and verify the authenticity of any extension before adding it to one's system.

    In conclusion, the GlassWorm malware campaign has once again demonstrated its ability to spread quickly and quietly, leaving a trail of compromised systems in its wake. As users navigate the complex world of cybersecurity, it is essential to remain informed and take proactive measures to protect oneself from such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/GlassWorm-Malware-Campaign-Expands-A-Threat-to-the-Open-VS-Code-Ecosystem-ehn.shtml

  • https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html

  • https://dailysecurityreview.com/cyber-security/application-security/glassworm-returns-with-malicious-vscode-extensions-infecting-thousands/

  • https://www.cybersecuritydive.com/news/ai-powered-malware-google/804760/

  • https://www.darknet.org.uk/2025/05/ai-powered-malware-the-next-evolution-in-cyber-threats/

  • https://www.thaicert.or.th/en/2025/11/10/warning-to-vscode-users-malicious-extensions-containing-glassworm-malware-steal-github-accounts-and-crypto-wallets/

  • https://www.cxodigitalpulse.com/glassworm-malware-resurfaces-new-malicious-vs-code-extensions-found-targeting-developers-worldwide/

  • https://github.com/Darkrain2009/RedExt

  • https://www.darknet.org.uk/2025/08/redext-browser-extension-based-c2-framework-for-red-team-recon/

  • https://en.wikipedia.org/wiki/Sandworm_(hacker_group)

  • https://thehackernews.com/2025/10/self-spreading-glassworm-infects-vs.html

  • https://cybersecuritynews.com/librarian-ghouls-apt-group-actively-attacking-organizations/

  • https://gbhackers.com/librarian-ghouls-apt-group-targets-organizations/


    • Published: Mon Nov 10 06:53:35 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us