GlassWorm hid invisible code in VS Code extensions for a year before its takedown

For more than a year, some of the developers building the apps on your phone were quietly working for someone else. A piece of malware called GlassWorm lived inside extensions for Visual Studio Code, the most widely used code editor in the world, and inside the open-source packages those developers pull into their projects every day. It harvested their passwords, hijacked their accounts, and used them to plant itself in still more software. CrowdStrike, Google, and the Shadowserver Foundation have now cut its strings.

That matters even to people who have never opened a code editor, because the software supply chain is exactly that, a chain. The messaging app on a phone, the banking app, the game on a console all rest on thousands of small open-source building blocks written and maintained by other people. Poison one of those blocks and the poison can travel downstream into finished products used by millions. GlassWorm was built to ride that current, and to do it without being seen.

What set it apart was the hiding. Its operators wrote the malicious instructions using invisible Unicode characters, code that renders as blank space inside an editor, so a developer reviewing the file saw nothing out of place. Researchers at Koi Security, who first identified the campaign, called it the first self-propagating worm to spread through code-editor extensions. Every machine it infected became the launch point for the next one.

Most supply-chain attacks are smash-and-grab: a single poisoned package is found, pulled, and patched within days. GlassWorm was built to last. Because it stole the credentials it needed in order to spread, it could keep replanting itself long after any one extension came down, which is how a single operation reached hundreds of projects and tens of thousands of downloads across more than a year.

The infection routes were the ordinary plumbing of modern software work. The operators uploaded booby-trapped extensions to Open VSX, the marketplace that feeds VS Code and its popular cousins Cursor, Windsurf, Positron, and VSCodium, dressing them up as harmless tools like time trackers and code formatters. They slipped tainted code into packages on npm and Python’s package index through install scripts that run on their own, and with credentials taken from earlier victims they force-pushed malicious commits into the main branches of more than 300 repositories on GitHub. Once inside a machine, GlassWorm hunted for keys: npm tokens, GitHub logins, the publishing tokens that let a developer push extensions, and cryptocurrency wallets. It turned infected computers into relay servers for other criminal traffic and, in some cases, installed hidden remote-access software that gave the operators a live view of the screen.

Taking it down meant going after how the operators stayed in contact with their machines, and here GlassWorm had been built to survive. Rather than rely on one command server that could be unplugged, it used four separate channels at once. One encoded its instructions inside transactions on the Solana blockchain, a public ledger designed to be permanent and beyond anyone’s reach. Another hid configuration data in the BitTorrent file-sharing network. A third tucked coded web addresses into the titles of Google Calendar events. The fourth was a plain rented server. CrowdStrike’s Counter Adversary Operations team, working with Google and Shadowserver, severed the entire set in a single coordinated strike.

Cutting the cords is not the same as cleaning the wound. Severing the channels stops the operators from sending new orders and pushing fresh payloads, but it does nothing to remove GlassWorm from the machines it already controls, and every password it has already taken stays taken. This is not the campaign’s first disruption either. After Koi Security first exposed it, GlassWorm came back, once with two dozen fresh malicious extensions and again months later with dozens more. The blockchain channel that researchers had described as impossible to take down has now been taken down, but the people behind it have repeatedly shown they rebuild.

Investigators believe the operators are likely based in Russia. The malware checks a computer’s language and time-zone settings as it starts and quietly exits if it lands on a system in Russia or a neighbouring former-Soviet state, a familiar tell of criminal crews that work from the region and avoid local victims. CrowdStrike framed the shift in flat terms: attackers are no longer only going after products, they are going after the developers who build them. The Shadowserver Foundation has begun notifying affected organisations so they can disinfect their systems and rotate every credential that may have leaked, and for everyone further down the chain the real work starts now, as teams audit which extensions and packages they have installed since the start of 2025. The infrastructure is dark. The cleanup has barely begun.