The IT Nerd

GlassWorm, a highly sophisticated self-propagating malware campaign targeting Visual Studio Code developers via the OpenVSX marketplace, has been discovered by Koi Security. The worm steals credentials from NPM, GitHub, and Git, drains cryptocurrency extensions, deploys hidden VNC and SOCKS proxies, and spreads through compromised extensions using stolen credentials. Notably, GlassWorm hides its payload with invisible Unicode variation selectors, rendering it invisible to human reviewers and many static analysis tools. Its command-and-control leverages the Solana blockchain for persistence and anonymity, with Google Calendar as backup infrastructure. Over 35,800 installations have been affected, with at least 10 extensions still active as of this weekend.

Dale Hoak, CISO, RegScale had this comment:

     “The GlassWorm campaign underscores the growing compliance and regulatory risks inherent in today’s open-source and developer ecosystems. Software supply chain attacks no longer target only the end product—they exploit the very tools and dependencies developers trust most. Organizations must move beyond periodic control reviews and adopt continuous monitoring and automation across their build pipelines to detect drift, compromise, or unauthorized changes in real time. Compliance controls governing software supply chain integrity should be codified and enforced as part of the CI/CD process, ensuring that when vulnerabilities like this surface, evidence of continuous validation, provenance tracking, and rapid remediation is already embedded in the operational fabric. This event is another reminder that compliance cannot be static documentation—it must be a living control system that evolves with every dependency update and build cycle.”

Will Baxter, Field CISO, Team Cymru follows with this:

      “The GlassWorm campaign marks a fundamental shift in the developer-ecosystem threat model: a self-propagating worm hidden inside VS Code extensions that leverages invisible Unicode, blockchain-based C2 (Solana) and legitimate infrastructure (Google Calendar) to resist coordinated takedown. By harvesting NPM, GitHub and OpenVSX tokens, hijacking crypto-wallet extensions and converting developer machines into SOCKS proxies and hidden VNC nodes, the attackers move far beyond standard supply-chain compromises. This isn’t just a supply-chain problem—it’s a new infrastructure layer merging cyber-crime tooling, blockchain resilience and developer-tooling pivoting. Intelligence sharing between registry operators, threat researchers and blockchain-monitoring partners must work together if we’re to see these hybrid attacks flagged and disrupted before developer systems become massive proxy networks.”

Gunter Ollmann, CTO, Cobalt adds this:

     “This campaign underscores how adversaries are evolving their tradecraft to weaponize the software supply chain at its roots. Developers have become high-value targets because compromising their toolchains can cascade across entire ecosystems. The use of blockchain and invisible Unicode payloads shows how detection and takedown are becoming increasingly difficult and require coordination across a growing number of stakeholders. Botnets and bot agents like GlassWorm are precisely the kind of technologies leveraged by state actors in preparation for cyberwarfare, where persistence and resilience to disruption are core tactical advantages. Frequent testing of defenses, SOC playbooks, and offensive security readiness is essential to expose weaknesses before attackers do.”

Even in a moment in time where there’s a new campaign every week from the forces of evil, this one is pretty bad. I am hoping that the result of this campaign is not as devastating and I think it will be. Though I will not be shocked if it is.

Japanese retail giant Muji has taken offline its store due to a logistics outage caused by a ransomware attack at its delivery partner, Askul. 

Rebecca Moody, Head of Data Research at Comparitech: 

“This is another prime example of how far-reaching the consequences of a ransomware attack can be and highlights why sectors like retail and manufacturing remain a key focus for hackers. 

So far this year, we’ve recorded nearly 400 claims from ransomware groups on retailers across the world with 40 of these having been confirmed by the entity involved. While we don’t yet know which gang is responsible for the attack on Askul, you can bet your bottom dollar we’ll find out soon if ransom negotiations fail. It’s also likely that the hackers will have stolen data in the process of their attack, and with the size of Askul and the number of companies it deals with, this could be significant.”

Martin Jartelius, AI Product Director at Outpost24:

“This is a different form of supply chain attack – the company is affected because a core service provider was compromised, rather than its own IT systems. It’s encouraging to see that Muji is taking preventive actions and already has contingency and communication plans in motion. This is the best way to fight ransomware: be prepared, recover quickly, work around disruptions, and avoid paying the groups behind them.

For the organization that suffered the direct breach, it’s still too soon to draw broader conclusions. Neither the perpetrator nor the ransomware strain has been confirmed, and while there have been other major regional incidents recently, any link at this stage would be purely speculative.”

Javvad Malik, Lead CISO Advisor at KnowBe4: 

“The reality of interconnected ecosystems is that you can have spotless internal controls and still be taken offline by a partner’s ransomware. Customers don’t care whose network was hit, they only see that the service or product they need is unavailable and that impacts trust. It’s why it’s important to map critical dependencies beyond IT to logistics and fulfilment, set minimum security baselines in contracts, and practice “supplier outage” playbooks. Monitor for brand impersonation during downtime, and pre‑agree data‑sharing for rapid joint incident response. Ultimately, resilience must extend past your perimeter to the partners that support your operations.”

You’re only as secure as the people that you work with. Thus my recommendation is that you work with your partners to assure your mutual security. After all, these days your mutual security is a requirement and not an option.