The GlassWorm malware has resurfaced in the Open VSX registry just two weeks after its removal from the VS Code marketplace, according to Koi Security. Originally spread through infected extensions designed to steal developer credentials and cryptocurrency funds, GlassWorm is notable for concealing malicious code with Unicode variation selectors and using the Solana blockchain for command-and-control. Despite earlier containment claims, new infected extensions with 10,000 combined downloads were discovered on November 6. The malware’s operators, identified as Russian-speaking, use RedExt and multiple crypto exchanges to manage their C&C infrastructure. Koi Security reports that the campaign remains active, with compromised systems repurposed as criminal proxy nodes. Aikido Security also found related malicious repositories on GitHub, suggesting the same actor is now blending realistic, AI-assisted commits into open-source projects to mask malicious intent.
Dale Hoak, CISO RegScale provided this comment:
“GlassWorm’s resurgence is a clear reminder that the software supply chain is now a primary battleground. Adversaries are using automation, obfuscation, and AI-generated commits to hide in plain sight—turning trust itself into an attack vector.
Security teams need to move beyond point-in-time audits toward continuous validation of code integrity, dependencies, and configurations. Platforms should help operationalize this mindset by automating evidence collection, monitoring control drift, and keeping compliance data in sync with real-time risk.
Continuous assurance isn’t a goal—it’s the new baseline for defending modern development ecosystems.”
Will Baxter, Field CISO, Team Cymru had this to say:
“From a threat intelligence standpoint, GlassWorm demonstrates a convergence of advanced tradecraft — blockchain-based C2, Unicode obfuscation, and AI-assisted commits — designed to evade detection and frustrate attribution. The persistence across registries and code-hosting platforms shows this isn’t an isolated campaign but an adaptive actor operating across ecosystems. Mapping and proactively tracking overlapping infrastructure will be critical to constraining the group’s operational reach — and that effort will depend on sustained community collaboration and timely intelligence sharing.”
Gunter Ollmann, CTO, Cobalt:
“GlassWorm underscores the growing challenge of securing the developer toolchain. Attackers are no longer just exploiting vulnerabilities—they’re weaponizing trust. Offensive testing strategies that emulate this kind of real-world supply chain compromise can help organizations understand their exposure before adversaries do. The ability to test, validate, and respond quickly is what separates resilient development environments from those that become conduits for compromise.”
The fact that GlassWorm is back from the dead shows how threat actors are evolving. Thus we need to do the same to stay ahead of them.
Like this:
Like Loading...
Related
This entry was posted on November 10, 2025 at 2:56 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
GlassWorm Is Back From The Dead
The GlassWorm malware has resurfaced in the Open VSX registry just two weeks after its removal from the VS Code marketplace, according to Koi Security. Originally spread through infected extensions designed to steal developer credentials and cryptocurrency funds, GlassWorm is notable for concealing malicious code with Unicode variation selectors and using the Solana blockchain for command-and-control. Despite earlier containment claims, new infected extensions with 10,000 combined downloads were discovered on November 6. The malware’s operators, identified as Russian-speaking, use RedExt and multiple crypto exchanges to manage their C&C infrastructure. Koi Security reports that the campaign remains active, with compromised systems repurposed as criminal proxy nodes. Aikido Security also found related malicious repositories on GitHub, suggesting the same actor is now blending realistic, AI-assisted commits into open-source projects to mask malicious intent.
Dale Hoak, CISO RegScale provided this comment:
“GlassWorm’s resurgence is a clear reminder that the software supply chain is now a primary battleground. Adversaries are using automation, obfuscation, and AI-generated commits to hide in plain sight—turning trust itself into an attack vector.
Security teams need to move beyond point-in-time audits toward continuous validation of code integrity, dependencies, and configurations. Platforms should help operationalize this mindset by automating evidence collection, monitoring control drift, and keeping compliance data in sync with real-time risk.
Continuous assurance isn’t a goal—it’s the new baseline for defending modern development ecosystems.”
Will Baxter, Field CISO, Team Cymru had this to say:
“From a threat intelligence standpoint, GlassWorm demonstrates a convergence of advanced tradecraft — blockchain-based C2, Unicode obfuscation, and AI-assisted commits — designed to evade detection and frustrate attribution. The persistence across registries and code-hosting platforms shows this isn’t an isolated campaign but an adaptive actor operating across ecosystems. Mapping and proactively tracking overlapping infrastructure will be critical to constraining the group’s operational reach — and that effort will depend on sustained community collaboration and timely intelligence sharing.”
Gunter Ollmann, CTO, Cobalt:
“GlassWorm underscores the growing challenge of securing the developer toolchain. Attackers are no longer just exploiting vulnerabilities—they’re weaponizing trust. Offensive testing strategies that emulate this kind of real-world supply chain compromise can help organizations understand their exposure before adversaries do. The ability to test, validate, and respond quickly is what separates resilient development environments from those that become conduits for compromise.”
The fact that GlassWorm is back from the dead shows how threat actors are evolving. Thus we need to do the same to stay ahead of them.
Share this:
Like this:
Related
This entry was posted on November 10, 2025 at 2:56 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.