GlassWorm Worm Resurfaces: Invisible Unicode Malware Re-Infects VS Code Extensions, Spreads to GitHub

A sophisticated, self-propagating malware campaign known as GlassWorm has re-emerged, infecting three new VS Code extensions and confirming its identity as a major threat to the global developer ecosystem. Koi Security, which originally disclosed the worm, reported a new wave of infections just sixteen days after the OpenVSX marketplace declared the incident “fully contained and closed” on October 21, 2025.

This isn’t just a threat to code marketplaces; an analysis of the attacker’s server revealed a partial list of victims spanning “the US, South-America, Europe, and Asia“, including a “major government entity from the Middle East.”

On November 6, 2025, Koi Security detected a fresh wave of GlassWorm compromise targeting three more extensions on the OpenVSX registry:

• ai-driven-dev.ai-driven-dev (3,300 downloads)
• adhamu.history-in-sublime-merge (4,000 downloads)
• yasuyuky.transient-emacs (2,400 downloads)

This new wave alone is responsible for approximately 10,000 additional infections.

The core of the GlassWorm’s stealth remains the use of invisible Unicode characters. The malicious code is encoded in unprintable Unicode characters that “literally disappears from code editors” when viewed by humans, but executes as JavaScript when interpreted by the system. The worm is also now confirmed to have spread to GitHub repositories, using stolen credentials to push malicious commits to additional repos. The threat actors are using “AI-generated commits to hide its invisible payloads in what looks like legitimate code changes“—a dangerous evolution that makes the malicious code blend seamlessly with normal development activity.

The attacker’s infrastructure is proving resilient, relying on decentralized technology for persistence.

• Blockchain C2: The worm continues to leverage the Solana blockchain for its C2 mechanism. The attacker posts a fresh, low-cost transaction to the Solana blockchain, which provides an updated C2 endpoint for downloading the next-stage payload. This strategy creates “unkillable infrastructure” because “even if payload servers are taken down, the attacker can post a new transaction for a fraction of a cent, and all infected machines automatically fetch the new location”.
• Static Servers: Despite the blockchain C2, the primary C2 server (199.247.10.166) and the exfiltration endpoint (199.247.13.106:80/wall) remain operational and unchanged from the original analysis.

Following a tip, Koi Security gained access to an exposed endpoint on the attacker’s server. The data extracted was sobering, confirming the worm’s real-world impact on organizations globally.

Beyond the victim list, the server contained the attacker’s own keylogger data, providing significant leads for attribution:

• The attacker is Russian-speaking.
• They use RedExt, an open-source browser extension C2 framework.
• User IDs for multiple cryptocurrency exchanges (like bybit.com/ru-RU) and messaging platforms were recovered.

Related Posts:

• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• “Unicode QR Code Phishing”: The New Threat You Need to Know
• Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
• Stealthy WordPress Malware Uncovered: SEO Spam Plugin Mimics Your Domain to Evade Detection
• A Dangerous Loophole in the VS Code Marketplace Is Allowing Malicious Extensions