The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.
GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities.
The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories.
The latest wave of the GlassWorm campaign, spotted by Secure Annex’s John Tuckner, involves a total of 24 extensions spanning both repositories. The list of identified extensions is below –
VS Code Marketplace:
- iconkieftwo.icon-theme-materiall (removed as of December 2, 2025)
- prisma-inc.prisma-studio-assistance (removed as of December 1, 2025)
- prettier-vsc.vsce-prettier
- flutcode.flutter-extension
- csvmech.csvrainbow
- codevsce.codelddb-vscode
- saoudrizvsce.claude-devsce
- clangdcode.clangd-vsce
- cweijamysq.sync-settings-vscode
- bphpburnsus.iconesvscode
- klustfix.kluster-code-verify
- vims-vsce.vscode-vim
- yamlcode.yaml-vscode-extension
- solblanco.svetle-vsce
- vsceue.volar-vscode
- redmat.vscode-quarkus-pro
- msjsdreact.react-native-vsce
Open VSX:
- bphpburn.icons-vscode
- tailwind-nuxt.tailwindcss-for-react
- flutcode.flutter-extension
- yamlcode.yaml-vscode-extension
- saoudrizvsce.claude-dev
- saoudrizvsce.claude-devsce
- vitalik.solidity
The attackers have been found to artificially inflate the download counts to make the extensions appear trustworthy and cause them to prominently appear in search results, often in close proximity to the actual projects they impersonate to deceive developers into installing them.
“Once the extension has been approved initially, the attacker seems to easily be able to update code with a new malicious version and easily evade filters,” Tuckner said. “Many code extensions begin with an ‘activate’ context, and the malicious code is slipped in right after the activation occurs.”
The new iteration, while still relying on the invisible Unicode trick, is characterized by the use of Rust-based implants that are packaged inside the extensions. In an analysis of the “icon-theme-materiall” extension, Nextron Systems said it comes with two Rust implants that are capable of targeting Windows and macOS systems –
- A Windows DLL named os.node
- A macOS dynamic library named darwin.node
As observed in the previous GlassWorm infections, the implants are designed to fetch details of the C2 server from a Solana blockchain wallet address and use it to download the next-stage payload, an encrypted JavaScript file. As a backup, they can parse a Google Calendar event to fetch the C2 address.
“Rarely does an attacker publish 20+ malicious extensions across both of the most popular marketplaces in a week,” Tuckner said in a statement. “Many developers could easily be fooled by these extensions and are just one click away from compromise.”
