GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs
GlassWorm malware has been discovered embedded within three Visual Studio Code extensions that have collectively been installed thousands of times. This malware targets developers by leveraging the popularity of VS Code extensions to infiltrate systems. Once installed, GlassWorm can execute malicious activities potentially compromising confidentiality and integrity of affected systems. Although no known exploits are currently active in the wild, the high severity rating indicates significant risk if exploited. European organizations using these extensions are at risk, especially those in software development and IT sectors. Mitigation requires immediate auditing of installed VS Code extensions, removal of suspicious ones, and monitoring for unusual activity. Countries with high adoption of VS Code and strong software development industries, such as Germany, France, and the UK, are most likely to be affected. The threat is considered high severity due to the potential impact on sensitive development environments and ease of distribution via trusted extension marketplaces. Defenders should prioritize verifying extension authenticity and applying strict controls on extension installation policies.
AI Analysis
Technical Summary
The GlassWorm malware campaign involves malicious code embedded within three Visual Studio Code extensions that have been downloaded thousands of times, indicating a broad potential attack surface. VS Code, a widely used source-code editor, supports extensions that enhance developer productivity, but malicious actors exploit this trust to distribute malware. GlassWorm operates by executing malicious payloads once the infected extensions are installed, potentially allowing attackers to exfiltrate sensitive data, manipulate source code, or establish persistence within development environments. The malware’s presence in popular extensions increases the risk of widespread compromise, especially in organizations heavily reliant on VS Code for software development. Although no active exploits have been reported in the wild yet, the discovery highlights a significant supply chain risk. The lack of specific affected versions or patches suggests that the extensions remain available, necessitating urgent attention. The malware’s stealthy nature and integration into trusted developer tools make detection challenging, emphasizing the need for enhanced monitoring and verification of extension sources. This threat underscores the importance of securing the software development supply chain and vetting third-party components.
Potential Impact
For European organizations, the GlassWorm malware poses a substantial risk to the confidentiality and integrity of software development processes. Compromise of developer workstations can lead to intellectual property theft, insertion of backdoors or vulnerabilities into software products, and potential downstream supply chain contamination. Organizations in sectors such as finance, technology, and critical infrastructure, which rely heavily on secure software development, could face operational disruptions and reputational damage. The malware’s ability to infiltrate through trusted VS Code extensions increases the likelihood of unnoticed breaches. Given the widespread use of VS Code across Europe, especially in countries with strong IT sectors, the potential impact is significant. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, and breaches resulting from such malware could lead to legal and financial penalties. The threat also raises concerns about the security of open-source and third-party software components widely used in European development environments.
Mitigation Recommendations
European organizations should immediately audit all installed VS Code extensions and remove any that are unverified or sourced from unofficial repositories. Implement strict policies restricting extension installation to a curated list of approved extensions vetted for security. Employ endpoint detection and response (EDR) solutions capable of monitoring suspicious behaviors associated with extension execution. Regularly update VS Code and extensions to the latest versions to benefit from security patches. Educate developers on the risks of installing untrusted extensions and encourage reporting of suspicious activity. Integrate software composition analysis (SCA) tools to monitor dependencies and extensions for known vulnerabilities or malicious code. Consider isolating development environments using containerization or virtual machines to limit malware spread. Collaborate with VS Code marketplace maintainers and security communities to stay informed about emerging threats and compromised extensions. Finally, conduct incident response drills focused on supply chain and developer toolchain compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs
Description
GlassWorm malware has been discovered embedded within three Visual Studio Code extensions that have collectively been installed thousands of times. This malware targets developers by leveraging the popularity of VS Code extensions to infiltrate systems. Once installed, GlassWorm can execute malicious activities potentially compromising confidentiality and integrity of affected systems. Although no known exploits are currently active in the wild, the high severity rating indicates significant risk if exploited. European organizations using these extensions are at risk, especially those in software development and IT sectors. Mitigation requires immediate auditing of installed VS Code extensions, removal of suspicious ones, and monitoring for unusual activity. Countries with high adoption of VS Code and strong software development industries, such as Germany, France, and the UK, are most likely to be affected. The threat is considered high severity due to the potential impact on sensitive development environments and ease of distribution via trusted extension marketplaces. Defenders should prioritize verifying extension authenticity and applying strict controls on extension installation policies.
AI-Powered Analysis
Technical Analysis
The GlassWorm malware campaign involves malicious code embedded within three Visual Studio Code extensions that have been downloaded thousands of times, indicating a broad potential attack surface. VS Code, a widely used source-code editor, supports extensions that enhance developer productivity, but malicious actors exploit this trust to distribute malware. GlassWorm operates by executing malicious payloads once the infected extensions are installed, potentially allowing attackers to exfiltrate sensitive data, manipulate source code, or establish persistence within development environments. The malware’s presence in popular extensions increases the risk of widespread compromise, especially in organizations heavily reliant on VS Code for software development. Although no active exploits have been reported in the wild yet, the discovery highlights a significant supply chain risk. The lack of specific affected versions or patches suggests that the extensions remain available, necessitating urgent attention. The malware’s stealthy nature and integration into trusted developer tools make detection challenging, emphasizing the need for enhanced monitoring and verification of extension sources. This threat underscores the importance of securing the software development supply chain and vetting third-party components.
Potential Impact
For European organizations, the GlassWorm malware poses a substantial risk to the confidentiality and integrity of software development processes. Compromise of developer workstations can lead to intellectual property theft, insertion of backdoors or vulnerabilities into software products, and potential downstream supply chain contamination. Organizations in sectors such as finance, technology, and critical infrastructure, which rely heavily on secure software development, could face operational disruptions and reputational damage. The malware’s ability to infiltrate through trusted VS Code extensions increases the likelihood of unnoticed breaches. Given the widespread use of VS Code across Europe, especially in countries with strong IT sectors, the potential impact is significant. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, and breaches resulting from such malware could lead to legal and financial penalties. The threat also raises concerns about the security of open-source and third-party software components widely used in European development environments.
Mitigation Recommendations
European organizations should immediately audit all installed VS Code extensions and remove any that are unverified or sourced from unofficial repositories. Implement strict policies restricting extension installation to a curated list of approved extensions vetted for security. Employ endpoint detection and response (EDR) solutions capable of monitoring suspicious behaviors associated with extension execution. Regularly update VS Code and extensions to the latest versions to benefit from security patches. Educate developers on the risks of installing untrusted extensions and encourage reporting of suspicious activity. Integrate software composition analysis (SCA) tools to monitor dependencies and extensions for known vulnerabilities or malicious code. Consider isolating development environments using containerization or virtual machines to limit malware spread. Collaborate with VS Code marketplace maintainers and security communities to stay informed about emerging threats and compromised extensions. Finally, conduct incident response drills focused on supply chain and developer toolchain compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- InfoSecNews
- Reddit Score
- 1
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- thehackernews.com
- Newsworthiness Assessment
- {"score":50.1,"reasons":["external_link","trusted_domain","newsworthy_keywords:malware","non_newsworthy_keywords:vs","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["malware"],"foundNonNewsworthy":["vs"]}
- Has External Source
- true
- Trusted Domain
- true
Threat ID: 6911e8d86161266dcb99127d
Added to database: 11/10/2025, 1:30:00 PM
Last enriched: 11/10/2025, 1:30:34 PM
Last updated: 11/22/2025, 2:47:53 AM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
FCC rolls back cybersecurity rules for telcos, despite state-hacking risks
MediumCrowdStrike catches insider feeding information to hackers
HighGrafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation
HighNew Sturnus Android Malware Reads WhatsApp, Telegram, Signal Chats via Accessibility Abuse
MediumShinyHunters Breach Gainsight Apps on Salesforce, Claim Data from Top 1000 Firms
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.