GlassWorm: Unmasking the self-propagating worm that uses invisible code in VS Code extensions

The ghost in the code: invisible malware injection

The first feature of GlassWorm's sophistication is its approach to deploying the initial payload, a technique that breaks with traditional code review and detection methods.

Bypassing code review with Unicode variation selectors

Instead of resorting to typical obfuscation or hiding code in minified files, the attackers leveraged invisible Unicode characters, specifically Unicode variation selectors and Private Use Area (PUA) characters. These special characters are part of the Unicode specification but are designed to produce no visual output or render as mere whitespace in common code editors and integrated development environments (IDEs).

To a developer performing a manual code inspection, or a tool like GitHub’s diff view, the malicious code simply appears as empty lines or blank space. As one Koi researcher noted, "Let me say that again: the malware is invisible. Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye." The code looks legitimate, but to the JavaScript interpreter, it is executable, active code.

This method successfully fooled the developers whose accounts were compromised. They could have reviewed the modified files—like the one where the malicious code created a "massive gap" between lines of functional code—and seen nothing wrong, unwittingly approving and distributing the malware to hundreds of users.

Triple-layer resilience: the unkillable C2 infrastructure

Upon execution, the invisible payload begins the next stage by reaching out to its command and control (C2) servers. GlassWorm’s C2 is perhaps its most resilient feature, as it employs a multi-layered redundancy system across three different mechanisms, making it nearly impossible to dismantle.

Solana blockchain: the immutable primary C2

The primary C2 channel utilizes the Solana public blockchain. The malware is hardcoded with the attacker's wallet address and searches the Solana network for transactions originating from that address. When a transaction is found, the malware extracts a JSON object containing a Base64-encoded link from the transaction’s memo field—a space for attaching arbitrary text to blockchain transactions. This link points to the next-stage payload.

The use of a public, decentralized blockchain offers the attackers significant advantages:

• Immutability and resilience: Once a transaction is recorded on the blockchain, it cannot be modified or deleted. This means the C2 instructions are permanent and cannot be taken down via standard legal or technical requests.

• Anonymity and censorship-resistance: Crypto wallets are pseudonymous, making attribution difficult. Furthermore, there is no central hosting provider, domain registrar, or single infrastructure that can be shut down.

• Legitimate traffic: Connections to Solana RPC (remote procedure call)  nodes—the servers used to interact with the blockchain—look normal and are unlikely to be flagged by standard security monitoring tools.

• Low cost and dynamic updates: The attacker can update their payload location simply by posting a new, low-cost transaction, allowing them to rapidly rotate infrastructure and bypass blocks against previous payload URLs.

Google Calendar: the legitimate backup C2

As a highly effective fallback mechanism, GlassWorm utilizes Google Calendar. The malware is configured to query a specific, publicly accessible Google Calendar event URL. Hidden within the event’s title is another Base64-encoded URL, which also points to the next payload stage.

This method bypasses security controls by using a legitimate, highly reliable, and widely used service. No organization blocks traffic to Google Calendar, providing a piece of "indestructible" infrastructure that the attacker can update at any time simply by editing the event title.

Payload decryption and key management

The C2 channels ultimately point to direct attacker-controlled IP addresses, such as 217.69.3.218 or 199.247.10.166. The payload fetched from these servers is not immediately usable; it is heavily obfuscated, Base64-encoded, and further protected by AES-256-CBC encryption.

The attackers implemented an ingenious defense against interception: The decryption key is not stored in the malware itself but is dynamically generated per request and passed in custom HTTP response headers. This means that even if a security team intercepts the encrypted payload, they cannot decrypt it without making a new request in real time to capture the current unique keys.

ZOMBI: the full-spectrum remote access trojan

The final decrypted stage of GlassWorm is a massive JavaScript payload dubbed the ZOMBI module—a chilling reference to the zombie botnet infrastructure it creates. This module transforms every infected developer workstation into a complete node within the attacker's criminal network.

Phase one: data harvesting and financial theft

The primary functions of the ZOMBI module are extensive data theft and financial gain:

• Credential theft for propagation: It aggressively harvests NPM authentication tokens, GitHub tokens, Open VSX credentials, and Git credentials. These are the critical keys required for the worm’s self-propagation cycle.

• Cryptocurrency wallet drain: The malware specifically targets and drains funds from 49 different cryptocurrency wallet extensions, including popular ones like Coinbase Wallet, MetaMask, and Phantom.

• Network reconnaissance: The module performs reconnaissance, mapping internal corporate networks accessible by the infected workstation. All stolen data is exfiltrated to specific attacker-controlled endpoints (e.g., 140.82.52.31).

Phase two: weaponizing the infected host

Beyond data theft, the ZOMBI module provides the attackers with comprehensive, persistent control over the victim's machine:

SOCKS proxy deployment: The malware installs a SOCKS proxy server on the infected machine. This functionality is invaluable to attackers as it:

• Anonymizes attacks: Attackers route their traffic through the victim’s IP address, masking their own origin.

• Bypasses firewalls: It allows external attackers to access internal network systems that the victim machine can reach, turning the developer's workstation into a constant internal network access point.

• Provides free infrastructure: The criminal group gets a ready-made, distributed network of proxy servers without incurring costs.

Hidden virtual network computing (HVNC): HVNC gives the attacker complete, graphical remote desktop access to the machine, but it is completely invisible to the user.

HVNC runs in a hidden virtual desktop that does not appear in the Task Manager and does not display any windows on the victim's screen. The attacker can operate silently in the background, using the victim's browser with all logged-in sessions (e.g., email and internal tools), reading confidential source code, stealing additional credentials, and pivoting to other systems within the corporate network—doing literally anything the victim could do, but entirely unbeknownst to them.

Decentralized control channels: GlassWorm ensures its command structure is as distributed as possible:

• It deploys WebRTC modules to establish peer-to-peer communication channels, which use NAT traversal to bypass traditional firewalls and enable direct, real-time control without the need for a central server.

• Commands are distributed using the BitTorrent Distributed Hash Table (DHT) network. This decentralized system, which makes torrent tracking nearly impossible to shut down, allows commands to spread across millions of nodes, ensuring there is no single central server that can be taken offline.

The self-propagation cycle: a fundamental shift

The primary purpose of stealing NPM, GitHub, and OpenVSX credentials is not just theft, but automated spread.

This is the self-replication cycle:

1. Initial infection: A compromised developer account pushes the invisible, malicious code to a legitimate extension.

2. Credential harvest: The invisible payload executes and steals new credentials from victim developers.

3. Automated spread: The stolen credentials are used to compromise additional packages and extensions across the marketplaces.

4. Exponential growth: Each new infected developer machine becomes a launching point, an "infection vector," leading to exponential growth throughout the software development ecosystem.

This mechanism highlights a fundamental, troubling shift in the threat landscape. Attackers are no longer content with one-off compromises; they are building autonomous, self-sustaining malware that can spread rapidly. Its self-propagating nature, combined with invisible code, blockchain C2, and full RAT capabilities, makes GlassWorm a new benchmark for supply chain attackers.

Indicators of compromise (IoCs) and recommendations

The GlassWorm attack was already an active, ongoing threat before its discovery. Users who had installed infected extensions were immediately compromised.

Known compromised extensions

The first wave of compromised extensions primarily targeted the Open VSX Marketplace, with one instance found on the Microsoft VS Code Marketplace (later removed):

Infrastructure and persistence IoCs

• Primary C2 IPs: 217.69.3.218, 199.247.10.166

• Exfiltration endpoints: 140.82.52.31:80/wall, 199.247.13.106:80/wall

• Solana wallet (attacker): 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2

• Google Calendar C2 Link: https://calendar.app.google/M2ZCvM8ULL56PD1d6

• Persistence mechanisms (Windows registry): Keys set in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run to ensure automatic restart on any failure.

Recommended actions

Any organization or developer identifying these IoCs in their infrastructure must immediately assume they have been compromised.

For infected systems (immediate steps):

• Quarantine and reformat: The most secure measure is to assume the machine is fully compromised and immediately isolate it, then format the machine to ensure removal of the ZOMBI module.

• Rotate all secrets: Rotate all credentials and secrets used on the infected machine, including:

  • NPM tokens

  • GitHub and Git credentials

  • Open VSX and VS Code tokens

  • All stored passwords and API keys

• Monitor financial activity: Closely audit and monitor all cryptocurrency wallet activity for unauthorized transactions.

For all developers (preventive measures):

• Vigilant extension audit: Regularly audit all installed VS Code extensions against known compromised lists and check for abnormal activity (e.g., suspicious network connections, strange API usage).

• Disable auto-updates: Consider disabling the default auto-update feature for extensions in favor of a manual review process.

• Evaluate extensions: Before installing, thoroughly evaluate extensions by checking publisher reputation, review history, and update frequency, and ensure you only install those you absolutely need.

• Centralized control: For enterprises, consider implementing a centralized allowlist for VS Code extensions to minimize the attack surface.

The emergence of GlassWorm indicates that the battlefield for supply chain security continues to change dramatically. The threat is no longer limited to compromised code registries but now includes autonomous worms designed to spread exponentially throughout the development ecosystem, using techniques that are both invisible to the human eye and highly resilient to infrastructure takedown. Robust security practices and vigilance are now more critical than ever.

If you have any questions, please don't hesitate to contact us at help@fluidattacks.com. We invite you to sign up for a free 21-day trial of our Continuous Hacking's Essential plan.