Three Strikes For GlassWorm
There’s an evolution happening in real time with malware these days. Sophisticated, disparate tactics being used in concert to create innovative ways to infiltrate, exfiltrate and evade detection. It’s a mix and match selection of traits, some new like AI prompt injection, some tried and true like Trojans. In recent weeks, I’ve noticed an uptick in worm campaigns, malware that is self-perpetuating and agentic, meaning it requires no human oversight. Shai-Hulud that attacks npm packages, for example.
And now we have GlassWorm.
First reported on in October, GlassWorm shares some characteristics with Shai-Hulud, in that it attacks the developer supply chains and propagates itself via compromised credentials. It hijacks one, then finds another to in essence establish itself within a system for persistence and infectious transmission between shared networks. Where Shai-Hulud uses JavaScript commands, GlassWorm uses the Solana blockchain for command-and-control, with a backup mechanism in Google Calendar. The first wave of the attack infected 13 extensions, most of which were on OpenVSX and one on the Microsoft Extension Marketplace. A second wave hit in November, and was observed targeting GitHub repositories.
This third wave has been seen in both. 24 extensions between VS Code Marketplace and OpenVSX have been targeted, two of which have been removed at the time of reporting. The new adaptation is still using its previous tactic of Unicode variation selectors, which hides its presence from code editors by not producing any visual output. But now it includes Rust-based implants into the compromised packages, making it cross-platforming for Windows and macOS.
Worms like this abuse the nature of visual script extensions, which are auto-updated even without user interaction. Once in the system, they stay there until found. With artificially inflated download metrics as part of the malicious tactics, the infected packages are coming up in searches more frequently, often ahead of those they’re mimicking. And thus tricking the unwary into clicking on them instead of the legitimate versions. Once installed, the malware captures a variety of credentials and authentication tokens, as well as other data. These are then transmitted to the C2 servers which turns any compromised system into a remote node for further malicious activity.
The Hacker News has a list of compromised extensions, for those concerned with whether or not they’ve been infected. As does John Tuckner’s report for Secure Annex. He is credited with discovering the November wave. Because the infected versions are mimicking legitimate ones it can be hard to tell the difference between them, especially on mobile platforms where full site addresses or sources are hidden due to screen space. As always, never click an untrusted link. Although, I have to acknowledge that that advice is becoming less useful as threat actors get more creative with inserting their malware into genuine codes. This is another case where I’ll be keeping my eye on things as they develop, and will update as needed.
Posted on LinkedIn, 12/3/25















