Glassworm returns once again with a third round of VS code attacks

1. Pro
2. Security

Glassworm returns once again with a third round of VS code attacks News By Sead Fadilpašić published 2 December 2025

The Visual Studio Marketplace and the Open VSX Registry users are targeted once again

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Future)

• Glassworm campaign re-emerges with 24 malicious extensions on OpenVSX and Visual Studio marketplaces
• Malware steals GitHub, npm, wallet tokens, and deploys HVNC client with SOCKS proxy
• Targets frameworks like Flutter, React Native, Vue; Microsoft working to harden defenses

Malware is back on the OpenVSX and Microsoft Visual Studio marketplaces, researchers are warning. In mid-September this year, it was reported that cybercriminals were targeting crypto holders and developers by smuggling infostealers into open-source code repositories.

The Visual Studio Marketplace and the Open VSX Registry are both platforms for distributing extensions, with the former being Microsoft-owned and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral, open-source alternative designed for VS Code-compatible editors like Eclipse Theia, Gitpod, SAP Business Application Studio, and others.

At first, the researchers found at least 24 malicious extensions, and as soon as those were removed - new ones popped up. The extensions, when installed on a Windows device, would deploy Lumma Stealer.

You may like

• VSCode market struck by huge influx of malicious WhiteCobra extensions - so be warned
• Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware
• A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week - here's how to stay safe

Two dozen new packages

Now, security researchers are saying that the campaign, which they’ve dubbed Glassworm, re-emerged with 24 new packages added across the two platforms.

To smuggle the malware, the attackers are using invisible Unicode characters which form an infostealer attempting to grab GitHub, npm, and OpenVSX accounts. From there, it tries to pull tokens and other valuables from 49 browser extension wallets.

Also, it deploys an HVNC client for remote access, and a SOCKS proxy for malicious traffic routing. According to BleepingComputer, the new attack was spotted by security analysts from Secure Annex, who claim the campaign targets a wide range of tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue.

The full list of packages can be found on this link.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

In its writeup, BleepingComputer said it tipped off Microsoft about the attacks, and was told that the company is looking for ways to harden the defenses on the popular repository: "We continue to assess and improve our scanning and detections to prevent abuse. Microsoft encourages users to flag suspicious content through a “Report Abuse” link found on every extension page,” Redmond told the publication.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more VSCode market struck by huge influx of malicious WhiteCobra extensions - so be warned    Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware    A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week - here's how to stay safe    Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac - here's what we know    Microsoft flags dangerous XCSSET macOS malware targeting developers - so be on your guard    Are you an Apple Mac user? Cybercriminals are using this popular website to target you with malware and infostealers - here's what you need to stay safe    Latest in Security Swiss government urges people to ditch Microsoft 365 and others due to lack of proper encryption    South Korean ecommerce giant Coupang suffers huge data breach - over 33 million accounts affected, here's what we know    Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks    Careful! That calendar notification could be loaded with malware - here's how to stay safe    Security researcher uncovers 17,000 secrets in public GitLab repositories    Millions of footballers see info leaked after French Football Federation suffers data breach    Latest in News Glassworm returns once again with a third round of VS code attacks    A new Genshin Impact DualSense controller has been revealed and it's gorgeous – here's when you can preorder it    AWS wants to make your AI agents more intelligent and more human    AWS thinks it has the answer to your multi-cloud interoperability issues    AWS wants to take the strain out of modernizing all your old code - and ending tech debt quicker than ever before    DeepSeek just gave away an AI model that rivals GPT-5    LATEST ARTICLES

1. 1Glassworm returns once again with a third round of VS code attacks
2. 2Black Friday is over but you can still claim a massive discount on one of the best password managers out there
3. 3DeepSeek just gave away an AI model that rivals GPT-5 – and it could change everything
4. 4A new Genshin Impact DualSense controller has been revealed and it's gorgeous – here's when you can preorder it
5. 5Swiss government urges people to ditch Microsoft 365 and others due to lack of proper encryption