Developers, check your tools. A sophisticated new threat is actively targeting the software development community.

Cybersecurity researchers have just (as of October 24, 2025) uncovered a self-propagating worm named "GlassWorm" that is spreading through extensions in Visual Studio (VS) Code. This is a significant supply chain attack, and it's designed to spread "like wildfire" through the entire developer ecosystem.

How Does GlassWorm Work?

This malware is dangerously clever. It infects popular extensions on both the Microsoft Extension Marketplace and the Open VSX Registry. Once an infected extension is installed, the worm gets to work.

Its primary goals are to:

• Steal credentials for GitHub, npm, and Git.
• Drain cryptocurrency from 49 different wallet extensions.
• Turn your machine into a proxy server for criminal activities.
• Install hidden remote access tools (HVNC) to take full control of your computer.

What makes GlassWorm especially advanced is its resilience. It uses the Solana blockchain for its command-and-control (C2) communication, making it extremely difficult to track and take down. It even uses Google Calendar as a backup.

The "Invisible" Threat

One of the most alarming discoveries is how the malware hides. The attackers used invisible Unicode characters in the source code. This means the malicious code literally disappears from view in many code editors, making it almost impossible to spot during a manual code review.

Because VS Code extensions are set to auto-update by default, the malware can be pushed to thousands of developers automatically without them having to do anything.

What Developers Should Do Now

1. Review Your Extensions: Immediately audit the VS Code extensions you have installed. Security firm Koi Security, which discovered the worm, has released a list of the 14 known infected extensions. Search for this list and cross-check it with your setup.
2. Be Wary of Auto-Updates: While convenient, auto-updates are the primary infection vector here. Consider disabling them for now or being more selective about your trusted publishers.
3. Check Your Credentials: If you have been infected, your credentials are likely stolen. You must immediately rotate all API keys, GitHub tokens, and passwords for related services.
4. Monitor Network Activity: Keep an eye on unusual network traffic, especially any communication related to the Solana blockchain or unexpected Google Calendar events.

This attack is a serious escalation, moving from compromising individual packages to creating self-sustaining worms. Stay vigilant and treat your development environment as the critical target it is.