GlassWorm is a persistent software chain campaign targeting software developers through malicious packages and extensions. Operators have targeted developers who can access source code repositories, cloud platforms, CI/CD pipelines, and package registries. The campaign uses trojanized VS Code extensions published on the Microsoft VS Code Marketplace and Open VSX, enabling targeting of VS Code forks such as Cursor, Positron, Windsurf, and VSCodium. Malicious code has also been introduced through compromised npm and Python packages. The goal is to deliver a data-theft framework that performs credential harvesting, cryptocurrency wallet exfiltration, and system profiling. Later versions deploy a Websocket-based JavaScript RAT that steals browser data and runs arbitrary code, including installing a Chrome extension that collects screenshots, keystrokes, and clipboard content. Once active, the malware searches for developer credentials to enable further compromise of repositories and package uploads.
"Since at least early 2025, GlassWorm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries."
"GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium."
"The campaign is also known to have introduced malicious code through compromised npm and Python packages. The end goal of the attacks is to deliver a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities."
"Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads."
#software-supply-chain-attacks #malware #vs-code-extensions #credential-theft #command-and-control-disruption
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]