Researchers from Koi Security have observed a large-scale supply chain attack in OpenVSX and the Visual Studio Code Marketplace. Hackers are distributing a self-replicating malware called GlassWorm, which has already been installed about 35,800 times.
Researchers have discovered at least eleven GlassWorm-infected extensions in OpenVSX and one in the Visual Studio Code Marketplace:
• codejoy.codejoy-vscode-extension@1.8.3 and 1.8.4;
• l-igh-t.vscode-theme-seti-folder@1.2.3;
• kleinesfilmroellchen.serenity-dsl-syntaxhighlight@0.3.2;
• JScearcy.rust-doc-viewer@4.2.1;
• SIRILMP.dark-theme-sm@3.11.4;
• CodeInKlingon.git-worktree-menu@1.0.9 and 1.0.91;
• ginfuru.better-nunjucks@0.3.2;
• ellacrity.recoil@0.7.4;
• grrrck.positron-plus-1-e@0.0.71;
• jeronimoekerdt.color-picker-universal@2.8.91;
• srcery-colors.srcery-colors@0.3.9;
• cline-ai-main.cline-ai-agent@3.1.3 (Microsoft VS Code).
The malware hides malicious code using invisible Unicode characters. In addition, GlassWorm has worm-like functionality and can spread autonomously: using victims’ stolen credentials, it infects other extensions that the victims have access to.
Attackers use the Solana blockchain to control their botnet, with Google Calendar serving as a fallback communication channel.
Upon installation, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 different extensions. In addition, GlassWorm deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for covert remote access.
The worm’s code contains a wallet address with transactions on the Solana blockchain that include base64-encoded links to payloads for the next stage of the attack. Using the blockchain to conceal payloads is gaining popularity among criminals due to several operational advantages: resistance to takedowns, anonymity, low cost, and flexibility for updates.
According to the researchers, the final payload of this attack is called ZOMBI and is “highly obfuscated JavaScript code” that turns infected systems into parts of a botnet.
The fallback method for loading payloads works via Google Calendar event titles that contain a base64-encoded URL. The third delivery method uses a direct connection to an IP address controlled by the attackers (217.69.3[.]218).
To provide additional stealth and resilience, the malware leverages the BitTorrent Distributed Hash Table (DHT) and decentralized command distribution.
“This situation is particularly serious because VS Code extensions are updated automatically. When CodeJoy released version 1.8.3 with invisible malware, all users with CodeJoy installed automatically received the infected version. No user interaction. No warnings. Silent automatic infection,” the researchers note.
At the time the report was published by Koi Security, at least four compromised extensions were still available for download on OpenVSX, while Microsoft removed the malicious extension from its marketplace after being alerted by the researchers. It is also noted that the developers of vscode-theme-seti-folder and git-worktree-menu updated their extensions and removed the malicious code.
It is worth noting that last month a similar attack by the Shai-Hulud worm affected the npm ecosystem, compromising 187 packages. The malware used the TruffleHog scanner to search for secrets, passwords, and keys.
Koi Security calls GlassWorm “one of the most sophisticated supply chain attacks” and the first documented case of a worm attack on VS Code. Experts warn that the command-and-control servers and servers hosting GlassWorm payloads remain active, and the campaign may continue.