GlassWorm Trojan: How Malicious VS Code Extensions Are Hijacking Developer Environments via OpenVSX + Video

Listen to this Post

Featured Image

Introduction:

Supply chain attacks have evolved beyond traditional software dependencies, now directly targeting the integrated development environments (IDEs) that developers trust daily. The newly discovered GlassWorm malware exploits the OpenVSX extension marketplace—an open-source alternative to Microsoft’s marketplace—to distribute trojanized extensions impersonating popular tools like WakaTime, compromising Visual Studio Code, Cursor, and Windsurf users with a multi-stage infection chain that began as early as March 2025.

Learning Objectives:

  • Identify and analyze malicious VS Code extensions distributed via OpenVSX and npm using Unicode obfuscation techniques.
  • Implement detection and removal procedures for GlassWorm infections across Linux and Windows developer workstations.
  • Apply supply chain hardening measures to prevent IDE-based malware from executing in CI/CD pipelines.

You Should Know:

  1. Unmasking the OpenVSX Supply Chain Attack – How Attackers Publish Rogue Extensions

The GlassWorm campaign leverages the OpenVSX registry, which many open-source IDEs (like Cursor and Windsurf) use as their default extension source. Attackers registered a malicious extension named code-wakatime-activity-tracker, impersonating the legitimate WakaTime productivity plugin. Because OpenVSX has less stringent review processes than Microsoft’s marketplace, the trojan remained undetected for months.

Step‑by‑step guide to inspect and verify VS Code extensions:
– List installed extensions (Linux/macOS):

`code –list-extensions`

  • List extensions with versions and locations (Windows PowerShell):

`code –list-extensions –show-versions`

  • Manually check extension folder for anomalies:
  • Linux: `~/.vscode/extensions/`
  • Windows: `%USERPROFILE%\.vscode\extensions\`
  • Search for the malicious extension by ID:

`code –list-extensions | findstr wakatime` (Windows)

`code –list-extensions | grep wakatime` (Linux)

To verify the integrity of an extension, inspect its `package.json` for unusual `activationEvents` or `scripts` that invoke external commands. For example, a benign extension should not contain "postinstall": "node malicious.js".

  1. Detecting Unicode Invisible Characters in npm Packages – The GlassWorm Obfuscation Trick

Since March 2025, attackers have hidden malicious payloads inside npm packages using invisible Unicode characters (e.g., zero-width spaces, directional overrides). These characters alter code execution flow without being visible in standard editors. GlassWorm uses this technique to bypass static analysis tools.

Linux command to scan a package for invisible Unicode:

npm pack <package-name> && tar -xzf .tgz
find package -type f -name ".js" -exec cat {} \; | grep -P '[\x{200B}-\x{200D}\x{FEFF}\x{202A}-\x{202E}]'

Windows PowerShell equivalent:

Get-ChildItem -Path .\package -Recurse -Filter .js | Get-Content | Select-String "[\u200B-\u200D\uFEFF\u202A-\u202E]"

Tutorial step: To audit all installed npm dependencies for obfuscated Unicode, create a CI pipeline script that runs `npm audit` followed by the above grep command. If matches are found, the package is likely malicious.

  1. Multi‑Stage Infection Chain Analysis – From IDE Extension to Full Persistence

GlassWorm does not execute immediately. After the trojanized extension is installed, it reaches out to a command-and-control (C2) server to download stage‑2 payloads. These include credential stealers, clipboard hijackers, and reverse shells. The final stage often installs a persistent backdoor via cron (Linux) or scheduled tasks (Windows).

Linux persistence detection commands:

crontab -l  Check user crontab
sudo crontab -l  Check root crontab
ls -la /etc/cron.d/  List system cron jobs
systemctl list-timers --all  Check systemd timers

Windows persistence detection (PowerShell as Admin):

schtasks /query /fo LIST /v | findstr "GlassWorm"
Get-ScheduledTask | Where-Object {$<em>.Actions.Execute -like "malicious"}
Get-WinEvent -LogName Security | Where-Object { $</em>.Message -like "GlassWorm" }

To mitigate, immediately disable any suspicious scheduled tasks and remove cron entries. Then revoke all session tokens and reset credentials.

  1. Hardening Developer Environments Against OpenVSX and IDE Extensions

Prevention is critical. Since OpenVSX is less regulated, organizations should restrict which extension marketplaces their IDEs can access. For VS Code, you can set `”extensions.allowedMarketplaces”` to only Microsoft Marketplace. For Cursor and Windsurf, configure a private extension registry proxy that blocks known malicious publishers.

VS Code settings.json (Linux/macOS/Windows):

{
"extensions.allowedMarketplaces": [
"https://marketplace.visualstudio.com"
],
"extensions.autoUpdate": false,
"security.workspace.trust.enabled": true
}

Additional hardening:

  • Run code editors inside sandboxed containers (e.g., Docker, Firejail).
    Example Docker command to run VS Code with isolated home:
    `docker run -it –rm -v “$PWD:/workspace” -w /workspace codercom/code-server`
    – Use AppArmor or SELinux profiles to restrict extension execution.
  • Enforce extension allowlisting via group policy (Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VS Code).
  1. Incident Response Playbook for Compromised IDEs – Containment and Eradication

If GlassWorm is suspected, follow this IR workflow:

Step 1 – Isolate the workstation from network (disable Wi-Fi, unplug Ethernet).

Step 2 – Identify malicious extension:

  • Open VS Code/Cursor/Windsurf, go to Extensions view.
  • Look for `code-wakatime-activity-tracker` or any unfamiliar, recently installed extensions.
  • Uninstall immediately via GUI or CLI: `code –uninstall-extension publisher.extension-name`

Step 3 – Terminate malicious processes:

  • Linux: `ps aux | grep -i glassworm` then `kill -9 `
  • Windows: `tasklist | findstr /i glassworm` then `taskkill /F /PID `
    Step 4 – Remove persistence mechanisms as shown in Section 3.

Step 5 – Scan for backdoors:

  • Use `rkhunter` (Linux) or Windows Defender Offline Scan.
    Step 6 – Rotate all secrets (SSH keys, API tokens, cloud credentials) that were accessible from the compromised IDE.

6. Leveraging AI for Real-Time Extension Malware Detection

Given the rise of Unicode obfuscation and multi-stage attacks, static signatures are insufficient. AI models trained on extension metadata, code entropy, and API call sequences can flag anomalies before installation. For example, a lightweight LSTM model analyzing `package.json` and `extension.js` can detect hidden payloads with >95% accuracy.

Python script to extract features for AI analysis:

import json, hashlib, os
def analyze_extension(ext_path):
with open(os.path.join(ext_path, 'package.json')) as f:
pkg = json.load(f)
entropy = lambda s: sum(ord(c) for c in s) / len(s)
return {
'has_postinstall': 'postinstall' in pkg.get('scripts', {}),
'num_activation_events': len(pkg.get('activationEvents', [])),
'file_entropy': entropy(open(os.path.join(ext_path, 'extension.js')).read())
}

Integrate this into CI/CD to block extensions with high entropy and suspicious scripts.

What Undercode Say:

  • Key Takeaway 1: OpenVSX is a gaping hole in IDE supply chain security; treat it as untrusted unless you run a private mirror.
  • Key Takeaway 2: Unicode obfuscation is no longer a theoretical attack – it’s actively used in npm and extensions to bypass code reviews.
  • Analysis: The GlassWorm campaign demonstrates that developer workstations are now prime targets for advanced persistent threats (APTs). By infecting the tools that write code, attackers gain a privileged pivot point into source repositories, CI/CD pipelines, and production environments. The multi-stage design (March 2025 npm payloads → GitHub repos → OpenVSX extensions) shows meticulous planning and a clear understanding of open-source ecosystem trust models. Most organizations lack runtime monitoring for IDE processes, leaving a blind spot that attackers exploit to exfiltrate SSH keys, cloud tokens, and proprietary source code. The use of invisible Unicode characters is particularly insidious because standard `grep` and code review tools miss them; only dedicated regex patterns or AI-based scanners can reliably detect such threats.

Prediction:

Within 12 months, we will see a wave of similar supply chain attacks targeting JetBrains IntelliJ plugins and Eclipse marketplace, using AI-generated obfuscation to evade detection. The industry will shift toward mandatory cryptographic signing of extensions with hardware-backed keys, and CI/CD pipelines will begin enforcing runtime behavioral analysis for developer tools. Organizations that fail to implement extension allowlisting and Unicode scanning will face a breach similar to SolarWinds but originating from a developer’s VS Code – with potentially wider impact because the compromised code itself becomes the next vector.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky