Cybersecurity researchers have identified three new malicious extensions linked to the GlassWorm campaign, signaling renewed attempts by threat actors to infiltrate the Visual Studio Code (VS Code) ecosystem. The compromised extensions — still available for download at the time of discovery — include ai-driven-dev.ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads), and yasuyuky.transient-emacs (2,431 downloads).
First uncovered by Koi Security in late October, GlassWorm is a sophisticated malware campaign that abuses VS Code extensions on both the Open VSX Registry and the Microsoft Extension Marketplace to steal GitHub, Open VSX, and Git credentials. The malware also drains funds from over 49 cryptocurrency wallet extensions and installs additional tools to enable remote access.
What sets GlassWorm apart is its stealth technique: it embeds malicious payloads using invisible Unicode characters to hide code within legitimate-looking extensions. This allows the malware to self-replicate by compromising more extensions and propagating across developer environments in a worm-like fashion.
Following the initial disclosure, Open VSX stated that all known malicious extensions had been removed and affected tokens were rotated or revoked as of October 21, 2025. However, new findings from Koi Security reveal that the campaign has re-emerged, once again exploiting Unicode obfuscation to bypass security scans.
“The attacker has posted a fresh transaction to the Solana blockchain, providing an updated C2 [command-and-control] endpoint for downloading the next-stage payload,” explained researchers Idan Dardikman, Yuval Ronen, and Lotan Sery. “This demonstrates the resilience of blockchain-based C2 infrastructure — even if payload servers are taken down, the attacker can post a new transaction for a fraction of a cent, and all infected machines automatically fetch the new location.”
The latest investigation also uncovered a leaked endpoint on the attacker’s own server, revealing a partial victim list spanning the U.S., Europe, South America, and Asia — including a major Middle Eastern government organization. Further forensic analysis traced keylogger data back to the attacker’s own system, suggesting the operator is Russian-speaking and utilizes the RedExt open-source browser C2 framework.
“These are real organizations and real people whose credentials have been harvested, whose machines may be serving as criminal proxy infrastructure, whose internal networks may already be compromised,” warned Koi Security.
The resurgence of GlassWorm follows a recent report by Aikido Security, which revealed that the malware’s operators are now using stolen GitHub credentials to push malicious commits, expanding their reach beyond the VS Code ecosystem.
