Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs

The Hacker News by The Hacker News
November 10, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Nov 10, 2025Ravie LakshmananMalware / Threat Intelligence

Cybersecurity researchers have disclosed a new set of three extensions associated with the GlassWorm campaign, indicating continued attempts on part of threat actors to target the Visual Studio Code (VS Code) ecosystem.

The extensions in question, which are still available for download, are listed below –

DFIR Retainer Services

GlassWorm, first documented by Koi Security late last month, refers to a campaign in which threat actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace to harvest Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, and drop additional tools for remote access.

What makes the malware notable is that it uses invisible Unicode characters to hide malicious code in code editors and abuses the pilfered credentials to compromise additional extensions and further extend its reach, effectively creating a self-replication cycle that allows it to spread in a worm-like fashion.

In response to the findings, Open VSX said it identified and removed all malicious extensions, in addition to rotating or revoking associated tokens as of October 21, 2025. However, the latest report from Koi Security shows that the threat has resurfaced a second time, using the same invisible Unicode character obfuscation trick to bypass detection.

“The attacker has posted a fresh transaction to the Solana blockchain, providing an updated C2 [command-and-control] endpoint for downloading the next-stage payload,” security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery said.

“This demonstrates the resilience of blockchain-based C2 infrastructure – even if payload servers are taken down, the attacker can post a new transaction for a fraction of a cent, and all infected machines automatically fetch the new location.”

The security vendor also revealed it identified an endpoint that’s said to have been inadvertently exposed on the attacker’s server, uncovering a partial list of victims spanning the U.S., South America, Europe, and Asia. This includes a major government entity from the Middle East.

CIS Build Kits

Further analysis has uncovered keylogger information supposedly from the attacker’s own machine, which has yielded some clues as to GlassWorm’s provenance. The threat actor is assessed to be Russian-speaking and is said to use an open-source browser extension C2 framework named RedExt as part of their infrastructure.

“These are real organizations and real people whose credentials have been harvested, whose machines may be serving as criminal proxy infrastructure, whose internal networks may already be compromised,” Koi Security said.

The development comes shortly after Aikido Security published findings showing that GlassWorm has expanded its focus to target GitHub, indicating the stolen GitHub credentials are being used to push malicious commits to repositories.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
TeamViewer introduces Agentless Access to secure and simplify remote operations in industrial environments

TeamViewer introduces Agentless Access to secure and simplify remote operations in industrial environments

Recommended.

An InventHelp 123Invent Client Develops Protective Gloves for Use with Electronics (MHO-703)

An InventHelp 123Invent Client Develops Protective Gloves for Use with Electronics (MHO-703)

February 25, 2026
Spigen Levels Up their New Pixel 10 Lineup

Spigen Levels Up their New Pixel 10 Lineup

August 20, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio