First Self-Propagating Worm Using Invisible Code Hits OpenVSX and VS Code

Summary

A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace.But GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node.This is one of the most sophisticated supply chain attacks we've ever analyzed. And it's spreading right now.GlassWorm - puts millions at riskWhat GlassWorm does to infected systems:Harvests NPM, GitHub, and Git credentials for supply chain propagationTargets 49 different cryptocurrency wallet extensions to drain fundsDeploys SOCKS proxy servers, turning developer machines into criminal infrastructureInstalls hidden VNC servers for complete remote accessUses stolen credentials to compromise additional packages and extensions, spreading the worm furtherThe current state: Seven OpenVSX extensions compromised on October 17, 2025. Total downloads -35,800. Ten extensions still actively distributing malware as you read this. The attacker's C2 infrastructure is fully operational - payload servers are responding, and stolen credentials are being used to compromise additional packages.Update (Oct 19, 2025): A new infected extension detected in Microsoft's VSCode marketplace - still active.The attack went live yesterday. The infrastructure is active. The worm is spreading.What Our Risk Engine DetectedHere's how this whole thing started. Our risk engine at Koi flagged an OpenVSX extension called CodeJoy when version 1.8.3 introduced some suspicious behavioral changes. When our researchers dug into it - like we do with any malware our risk engine flags - what we found was very...