The Invisible Threat: How GlassWorm Is Rewriting the Rules of Supply Chain Security

As a Senior Digital Forensics and Incident Response investigator, I've analyzed countless supply chain attacks over the years, but GlassWorm represents a paradigm shift in adversary tradecraft that demands immediate attention from every security operations center. This self-propagating worm, first detected on October 17, 2025, has compromised 16+ VSCode extensions across OpenVSX and Microsoft VSCode marketplaces, with an estimated 35,800+ confirmed installations and evidence of continued active operations.

When CodeJoy, a productivity extension used by thousands of Visual Studio Code developers, pushed version 1.8.3 on October 17, 2025, no one noticed anything wrong. The code looked clean. Security reviews found nothing suspicious. Developers who checked the files saw their legitimate code, exactly as expected.

They were all wrong.

What they couldn't see was GlassWorm, a self-propagating malware so sophisticated that it represents a fundamental shift in supply chain attacks. Within days, the malware had infected at least 35,800 developer workstations across the OpenVSX and Microsoft Visual Studio marketplaces, turning each victim into an unwitting launch point for exponential spread throughout the software development ecosystem.

For chief information security officers navigating an already complex threat landscape, GlassWorm introduces a troubling reality: traditional code review processes can no longer be trusted to catch malicious code, and the defensive infrastructure enterprises have built may be powerless against attacks that leverage decentralized, immutable systems.

The Code You Cannot See

GlassWorm earned its name through an unprecedented stealth technique that security researchers at Koi Security describe as "actually invisible." The malware exploits Unicode variation selectors and Private Use Area characters, special characters within the Unicode specification designed to produce no visual output in code editors and integrated development environments.

To any developer performing manual code inspection, the malicious payload appears as empty lines or blank space. Even GitHub's diff view, a standard tool for code review, displays nothing suspicious. The JavaScript interpreter, however, reads and executes the code perfectly.

"Like glass, it's completely transparent," explains Idan Dardikman, CTO and co-founder of Koi Security. "You can stare right at it and see nothing."

This represents more than just clever obfuscation. It breaks a fundamental assumption underlying modern software development: that humans can review code to verify its security and legitimacy. Enterprises have invested millions in secure development practices built on this premise. GlassWorm renders those investments inadequate.

The compromised developers whose accounts distributed the malware likely examined their files, saw what appeared to be their original code, and had no awareness they were about to distribute malware to hundreds of users. Because Visual Studio Code extensions update automatically by default, victims received infected versions without any action required. No warning. No user interaction. Just silent, automatic compromise.

Unkillable Infrastructure

Traditional malware campaigns rely on infrastructure that can be disrupted. Domains can be seized, servers can be taken offline, and hosting providers can be compelled to cooperate with law enforcement. GlassWorm's operators designed their command and control system to eliminate these vulnerabilities entirely.

The malware uses a triple-layer command and control infrastructure that security researchers describe as "unkillable." The primary channel operates through the Solana blockchain. GlassWorm searches the blockchain for transactions originating from a hardcoded attacker wallet (28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2). When found, it extracts Base64-encoded payload URLs from the transaction memo field, a space designed for attaching arbitrary text to blockchain transactions.

This architecture offers attackers significant operational advantages. Blockchain transactions are immutable and cannot be deleted or modified, ensuring command and control instructions remain permanently accessible. The system is decentralized, with no single infrastructure point that can be seized or shut down. Connections to Solana RPC nodes appear as legitimate cryptocurrency traffic, unlikely to trigger security alerts. And attackers can rotate infrastructure simply by posting new transactions, which cost mere cents.

"You're playing whack-a-mole with an opponent who has infinite moles," notes Koi Security's analysis. "This isn't some theoretical attack vector. This is a real-world, production-ready C&C infrastructure that's actively serving malware right now. And there's literally no way to take it down."

As a backup mechanism, GlassWorm queries a publicly accessible Google Calendar event. The event title contains another Base64-encoded payload URL. No organization blocks traffic to Google Calendar, providing attackers with reliable, legitimate infrastructure that can be updated instantly by editing an event title.

Both channels ultimately point to direct IP addresses under attacker control (217.69.3.218 and 199.247.10.166), where payloads are encrypted with AES-256-CBC. The decryption keys are not stored in the malware but are dynamically generated per request and delivered through HTTP response headers, preventing interception and analysis.

Once installed, GlassWorm deploys what researchers call the ZOMBI module, transforming infected developer workstations into nodes in a criminal infrastructure network. The name is apt. Compromised machines become automated extensions of the attacker's operations, functioning without the victim's knowledge or consent.

The primary objective is credential harvesting. GlassWorm aggressively targets NPM authentication tokens, GitHub credentials, OpenVSX tokens, and Git credentials. These are not merely trophies. They are the keys required for the worm's self-propagation cycle. Stolen credentials are automatically used to compromise additional packages and extensions, creating exponential spread through the developer ecosystem.

The malware also specifically targets 49 different cryptocurrency wallet extensions, including widely used platforms like Coinbase Wallet, MetaMask, and Phantom. Stolen funds are consolidated to attacker-controlled wallets. Network reconnaissance maps internal corporate systems accessible from the infected workstation, and all harvested data is exfiltrated to dedicated endpoints (140.82.52.31 and 199.247.13.106).

Beyond theft, GlassWorm weaponizes the infected host. It installs a SOCKS proxy server, allowing attackers to route their traffic through the victim's IP address. This anonymizes attacks, bypasses firewalls by providing access to internal network systems the victim machine can reach, and gives attackers a distributed network of proxy servers at no cost.

Most concerning is the deployment of Hidden Virtual Network Computing (HVNC), which provides complete, graphical remote desktop access to the infected machine while remaining entirely invisible to the user. HVNC runs in a hidden virtual desktop that does not appear in the Task Manager and displays no windows on the victim's screen.

The attacker can operate silently in the background, using the victim's browser with all logged-in sessions, reading confidential source code, stealing additional credentials, and pivoting to other systems within the corporate network. They can perform any action the victim could perform, completely undetected.

What distinguishes GlassWorm from traditional supply chain attacks is its autonomous replication. Each infection becomes a launching point for dozens more.

The cycle operates as follows: A compromised developer account pushes invisible malicious code to a legitimate extension. The payload executes and harvests credentials from new victim developers. Those stolen credentials are automatically used to compromise additional packages and extensions across marketplaces. Each newly infected developer machine becomes an infection vector, leading to exponential growth throughout the software development ecosystem.

This pattern represents a troubling evolution. Attackers have moved beyond one-off compromises to building autonomous, self-sustaining malware that spreads without further intervention. "With traditional supply chain attacks, you compromise one package and that's your blast radius," Dardikman explains. "With worms like GlassWorm, each infection is a new launching point for dozens more. It's exponential growth."

Security researchers note that GlassWorm follows Shai Hulud, discovered just one month earlier as the first self-propagating worm in the npm ecosystem. The pattern suggests attackers have identified a repeatable methodology for creating supply chain malware that can spread autonomously through entire development ecosystems.

For enterprise security teams, GlassWorm presents challenges that extend beyond immediate remediation. The attack demonstrates that sophisticated adversaries are systematically undermining the foundations of software supply chain security.

Traditional security controls assume visibility. GlassWorm's invisible code technique eliminates that visibility. Standard code review processes, diff tools, and manual inspection all fail against Unicode-based stealth. Enterprises that have invested in secure development practices must now reckon with the reality that those practices may be insufficient against current threats.

The blockchain-based command and control infrastructure introduces a new category of takedown-resistant malware. Law enforcement cooperation, domain seizures, and hosting provider intervention are irrelevant when attackers operate through decentralized, immutable systems. Enterprise security teams accustomed to coordinating with authorities to disrupt active campaigns will find those playbooks ineffective.

The HVNC capability means that traditional endpoint detection may fail to identify compromised systems. Security operations centers monitoring for suspicious processes or network connections may see nothing unusual while attackers maintain persistent, silent access to developer workstations. These machines often have privileged access to source code repositories, build systems, and production environments, making them high-value targets for lateral movement.

Most critically, the self-propagating nature of GlassWorm means that a single compromised developer credential can cascade into organization-wide compromise. Traditional incident response assumes containment is possible. With autonomous worms that spread through stolen credentials and automatically compromise additional systems, containment becomes significantly more complex.

Indicators of Compromise

Organizations should immediately audit their Visual Studio Code installations for the following compromised extensions:

OpenVSX Marketplace:

• codejoy.codejoy-vscode-extension (versions 1.8.3, 1.8.4)

• l-igh-t.vscode-theme-seti-folder (version 1.2.3)

• kleinesfilmroellchen.serenity-dsl-syntaxhighlight (version 0.3.2)

• JScearcy.rust-doc-viewer (version 4.2.1)

• SIRILMP.dark-theme-sm (version 3.11.4)

• CodeInKlingon.git-worktree-menu (versions 1.0.9, 1.0.91)

• ginfuru.better-nunjucks (version 0.3.2)

• ellacrity.recoil (version 0.7.4)

• grrrck.positron-plus-1-e (version 0.0.71)

• jeronimoekerdt.color-picker-universal (version 2.8.91)

• srcery-colors.srcery-colors (version 0.3.9)

• sissel.shopify-liquid (version 4.0.1)

• TretinV3.forts-api-extention (version 0.3.1)

Microsoft Visual Studio Code Marketplace:

• cline-ai-main.cline-ai-agent (version 3.1.3)

Network indicators:

• Primary C2 IP addresses: 217[.]69.3.218, 199[.]247.10.166

• Exfiltration endpoints: 140.82.52.31:80/wall, 199.247.13.106:80/wall

• Solana wallet: 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2

• Google Calendar C2: https://calendar[.]app.google/M2ZCvM8ULL56PD1d6

Persistence mechanisms:

• Registry keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• Registry keys in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Any organization identifying these indicators in their infrastructure should assume full compromise. Affected systems likely have had credentials stolen, cryptocurrency wallets drained, and are currently serving as SOCKS proxy infrastructure for criminal activity.

Immediate Actions for Compromised Systems

Security teams should implement the following response protocol for any system found to be infected:

Immediate isolation: Disconnect the infected machine from all networks to prevent further data exfiltration and lateral movement.

Complete credential rotation: Rotate all secrets and credentials that may have been accessed from the compromised system, including NPM tokens, GitHub personal access tokens and SSH keys, OpenVSX and Visual Studio Code authentication tokens, all stored passwords in browsers and password managers, API keys for cloud services and internal systems, and SSH keys used for server access.

Financial audit: Conduct immediate audit of all cryptocurrency wallet activity for unauthorized transactions. Review corporate expense accounts and payment systems for suspicious activity.

Forensic analysis: Preserve disk images and memory dumps for forensic investigation. Analyze network logs for evidence of proxy activity and data exfiltration. Identify all systems the infected workstation accessed to determine scope of potential compromise.

System rebuild: The most secure approach is to assume the machine is fully compromised and perform a complete system rebuild rather than attempting cleanup. HVNC and other rootkit-level capabilities may persist through standard malware removal.

Beyond immediate incident response, enterprises should implement strategic controls to reduce exposure to similar attacks:

Extension governance: Implement a centralized allowlist for Visual Studio Code extensions. Establish formal approval processes for new extensions that include security review and publisher reputation assessment. Maintain an inventory of all approved extensions across the organization. Consider disabling automatic extension updates in favor of controlled deployment after security validation.

Developer workstation hardening: Enforce principle of least privilege for developer accounts. Implement network segmentation to limit developer workstation access to production systems. Deploy endpoint detection and response solutions specifically tuned for developer environments. Monitor for unusual network connections from development machines, particularly to blockchain RPC nodes or unusual geographies.

Credential security: Implement hardware security keys for all developer authentication. Enforce short-lived tokens with automatic rotation. Deploy credential scanning tools that monitor for leaked secrets in code repositories. Consider secrets management platforms that eliminate the need to store credentials on developer workstations.

Supply chain security: Integrate software composition analysis into continuous integration pipelines. Implement binary attestation and signing for all internally developed components. Monitor third-party dependencies for behavioral changes indicative of compromise. Consider implementing reproducible builds to detect unauthorized modifications.

Detection engineering: Develop detection rules for Unicode-based obfuscation in code repositories. Monitor for connections to blockchain RPC endpoints from non-standard applications. Alert on creation of registry persistence mechanisms. Watch for SOCKS proxy server installation on developer workstations. Track modifications to extension directories outside of standard update processes.

GlassWorm represents the second self-propagating worm targeting software development ecosystems in as many months. The Shai Hulud worm, discovered in September 2025, demonstrated similar self-replication capabilities in the npm package ecosystem. The rapid succession suggests that sophisticated threat actors have developed a repeatable methodology for creating autonomous supply chain malware.

Security researchers at Veracode note that the techniques GlassWorm employs are not entirely novel. Their team documented Unicode-based obfuscation in npm packages in April 2025 and identified Google Calendar command and control infrastructure in May 2025. What distinguishes GlassWorm is the integration of multiple advanced techniques into a cohesive, self-sustaining attack platform.

This convergence of capabilities marks a fundamental shift in the supply chain threat landscape. Attackers are no longer satisfied with compromising individual packages or extensions. They are building autonomous systems designed for exponential spread, with infrastructure specifically engineered to resist takedown efforts.

The implications extend beyond immediate security concerns. Software development increasingly relies on vast ecosystems of third-party code, from package managers to IDE extensions to build tools. Each represents a potential attack vector. GlassWorm demonstrates that sophisticated adversaries have identified methods to weaponize these ecosystems in ways that traditional security controls cannot easily detect or prevent.

Looking Forward

The GlassWorm campaign remains active as of this writing. The attacker's command and control infrastructure continues to operate, payload servers remain responsive, and stolen credentials are still being used to compromise additional packages and extensions. Some compromised extensions remain available for download on OpenVSX, despite the malware being publicly documented.

This persistence underscores the central challenge: when attackers leverage decentralized, immutable infrastructure like blockchain for command and control, traditional takedown methods become ineffective. The security industry will need to develop new approaches for dealing with this class of threat.

For enterprise security leaders, GlassWorm represents a call to fundamentally reassess supply chain security strategies. The assumptions that have guided security investments in this area may no longer be valid. Code review cannot catch invisible malware. Infrastructure takedowns cannot disrupt blockchain-based command and control. Endpoint monitoring may fail to detect hidden remote access.

Organizations that continue to rely on traditional defensive approaches risk falling victim to attacks they have no capability to detect or prevent. The time for reassessment is now, while the industry still has the opportunity to adapt before the next evolution in supply chain threats emerges.

The era of autonomous, self-propagating supply chain malware has begun. How enterprises respond will determine whether they can secure their development ecosystems against an adversary who has rewritten the rules of engagement.