New Self-Propagating Worm Targets Developers

Cybersecurity researchers have identified a self-propagating worm, codenamed GlassWorm, that spreads through Visual Studio Code (VS Code) extensions. The discovery by Koi Security on October 24, 2025, highlights a significant supply chain attack targeting the developer community. The malware was found infecting extensions on both the Open VSX Registry and the official Microsoft Extension Marketplace, underscoring the growing threat to the DevOps pipeline. This incident marks the second major supply chain attack on the developer ecosystem in a month, following the ‘Shai-Hulud’ worm that impacted the npm ecosystem in mid-September 2025.

GlassWorm represents a sophisticated threat, specifically designed to compromise developer environments. By embedding itself within legitimate-seeming VS Code extensions, the worm can spread rapidly as developers install or update their tools, creating a widespread infection across multiple organizations and projects.

Advanced Evasion and C2 Techniques

The GlassWorm campaign is distinguished by its novel technical capabilities. For its command-and-control (C2) infrastructure, the malware utilizes the Solana blockchain, a design choice that makes the C2 network highly resilient to takedown attempts by authorities. In addition to its primary C2, the worm employs Google Calendar as a fallback communication mechanism, adding another layer of durability to its operations.

Another innovative aspect of the attack is its code evasion method. In a technical report, researcher Idan Dardikman noted that the campaign uses “invisible Unicode characters that make malicious code literally disappear from code editors.” The attackers achieved this by using Unicode variation selectors, which are special characters that modify the appearance of preceding characters without being easily visible, thereby hiding the malicious payloads from developers inspecting the source code.