Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools

The Hacker News by The Hacker News
December 2, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 02, 2025Ravie LakshmananMalware / Blockchain

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.

GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities.

The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories.

The latest wave of the GlassWorm campaign, spotted by Secure Annex’s John Tuckner, involves a total of 24 extensions spanning both repositories. The list of identified extensions is below –

Cybersecurity

VS Code Marketplace:

  • iconkieftwo.icon-theme-materiall
  • prisma-inc.prisma-studio-assistance (removed as of December 1, 2025)
  • prettier-vsc.vsce-prettier
  • flutcode.flutter-extension
  • csvmech.csvrainbow
  • codevsce.codelddb-vscode
  • saoudrizvsce.claude-devsce
  • clangdcode.clangd-vsce
  • cweijamysq.sync-settings-vscode
  • bphpburnsus.iconesvscode
  • klustfix.kluster-code-verify
  • vims-vsce.vscode-vim
  • yamlcode.yaml-vscode-extension
  • solblanco.svetle-vsce
  • vsceue.volar-vscode
  • redmat.vscode-quarkus-pro
  • msjsdreact.react-native-vsce

Open VSX:

  • bphpburn.icons-vscode
  • tailwind-nuxt.tailwindcss-for-react
  • flutcode.flutter-extension
  • yamlcode.yaml-vscode-extension
  • saoudrizvsce.claude-dev
  • saoudrizvsce.claude-devsce
  • vitalik.solidity

The attackers have been found to artificially inflate the download counts to make the extensions appear trustworthy and cause them to prominently appear in search results, often in close proximity to the actual projects they impersonate to deceive developers into installing them.

“Once the extension has been approved initially, the attacker seems to easily be able to update code with a new malicious version and easily evade filters,” Tuckner said. “Many code extensions begin with an ‘activate’ context, and the malicious code is slipped in right after the activation occurs.”

Cybersecurity

The new iteration, while still relying on the invisible Unicode trick, is characterized by the use of Rust-based implants that are packaged inside the extensions. In an analysis of the “icon-theme-materiall” extension, Nextron Systems said it comes with two Rust implants that are capable of targeting Windows and macOS systems –

  • A Windows DLL named os.node
  • A macOS dynamic library named darwin.node

As observed in the previous GlassWorm infections, the implants are designed to fetch details of the C2 server from a Solana blockchain wallet address and use it to download the next-stage payload, an encrypted JavaScript file. As a backup, they can parse a Google Calendar event to fetch the C2 address.

“Rarely does an attacker publish 20+ malicious extensions across both of the most popular marketplaces in a week,” Tuckner said in a statement. “Many developers could easily be fooled by these extensions and are just one click away from compromise.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera

Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera

Recommended.

Huawei Unveils AI Data Center Solution, Leading the Industry into a New Era of Intelligent Computing

Huawei Unveils AI Data Center Solution, Leading the Industry into a New Era of Intelligent Computing

May 14, 2025
Intel Exec: ‘Panther Lake’ Commercial PC Push Will Help Us Regain Market Share

Intel Exec: ‘Panther Lake’ Commercial PC Push Will Help Us Regain Market Share

March 25, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio