{
	"id": "32601b16-7476-47dd-96e9-dfa8dec56a27",
	"created_at": "2026-04-29T02:22:11.70776Z",
	"updated_at": "2026-04-29T08:21:14.575399Z",
	"deleted_at": null,
	"sha1_hash": "4a929b4976332e830ad15b2d48f955ee2ea044b7",
	"title": "GlassWorm Returns: New Wave Strikes as We Expose Attacker Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 580843,
	"plain_text": "GlassWorm Returns: New Wave Strikes as We Expose Attacker\r\nInfrastructure\r\nBy Idan Dardikman, Yuval Ronen, Lotan Sery\r\nPublished: 2025-11-06 · Archived: 2026-04-29 02:07:33 UTC\r\nAlmost three weeks ago, we disclosed GlassWorm - the first self-propagating worm targeting VS Code extensions,\r\nusing invisible Unicode characters to hide malicious code that literally disappears from code editors.\r\nOn October 21, 2025, OpenVSX declared the incident \"fully contained and closed.\"\r\nBut on November 6, 2025 - sixteen days later - we detected a new wave of GlassWorm infections. Three more\r\nextensions compromised. A fresh Solana blockchain transaction providing new C2 endpoints. Same attacker\r\ninfrastructure, still fully operational.\r\nBut here's where this story gets more serious. We managed to access the attacker's server. What we found inside\r\nconfirmed the real-world impact: a partial list of victims from around the world - the US, South America, Europe,\r\nAsia - including a major government entity from the Middle East.\r\nWold map of GlassWorm victims\r\nThis isn't just about compromised extensions anymore. This is about real victims, critical infrastructure at risk, and\r\na worm that's doing exactly what we warned it would do: spreading through the developer ecosystem.\r\nAnd it's not just OpenVSX. Developers have reported that GlassWorm has jumped to GitHub repositories, using\r\nAI-generated commits to hide its invisible payloads in what looks like legitimate code changes.\r\nThe New Wave: Three More Extensions Fall\r\nhttps://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nPage 1 of 5\n\nOn November 6, 2025, our risk engine flagged three more OpenVSX extensions showing the exact GlassWorm\r\nsignature:\r\nai-driven-dev.ai-driven-dev (3,300 downloads)\r\nadhamu.history-in-sublime-merge (4,000 downloads)\r\nyasuyuky.transient-emacs (2,400 downloads)\r\nTotal impact from this wave alone: approximately 10,000 additional infections.\r\nThe invisible payload in the new wave of GlassWorm\r\nAll three extensions contain invisible Unicode malware very similar to what we documented in our original\r\nanalysis. The malicious code is still literally invisible in code editors - encoded in unprintable Unicode characters\r\nthat render as blank space to human eyes but execute as JavaScript to the interpreter.\r\nThe attacker has posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for\r\ndownloading the next-stage payload. This demonstrates the resilience of blockchain-based C2 infrastructure - even\r\nif payload servers are taken down, the attacker can post a new transaction for a fraction of a cent, and all infected\r\nmachines automatically fetch the new location.\r\nNotably, while the Solana transaction is fresh, the C2 and exfiltration servers remain unchanged from our original\r\nanalysis:\r\n199.247.10.166 (primary C2 server)\r\n199.247.13.106:80/wall (exfiltration endpoint)\r\nThe infrastructure we documented a month ago is still operational. Still serving payloads. Still collecting stolen\r\ncredentials.\r\nWe Got Inside: What the Attacker's Server Revealed\r\nhttps://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nPage 2 of 5\n\nHere's where our investigation took an unexpected turn.\r\nFollowing a tip from an independent security researcher who preferred to remain anonymous, we discovered that\r\nthe attacker had inadvertently left an endpoint exposed on their server. We leveraged this opening to exfiltrate data\r\nfrom the attacker's infrastructure.\r\nAnd that's when we found it: a partial list of victims.\r\nWe can't share specific names or identifying details - both for victim privacy and because this is now part of an\r\nactive law enforcement investigation. But we can tell you what we saw:\r\nVictims spanning the US, South-America, Europe, and Asia\r\nA government entity from the Middle East\r\nDozens of individual developers and organizations\r\nThese aren't hypothetical victims. These are real organizations and real people whose credentials have been\r\nharvested, whose machines may be serving as criminal proxy infrastructure, whose internal networks may already\r\nbe compromised.\r\nBut the server held something else: the attacker's own keylogger data. Whether from testing infrastructure or\r\noperational oversight, we obtained intelligence that significantly advances attribution efforts:\r\nThe attacker is Russian-speaking\r\nThey use RedExt, an open-source browser extension C2 framework, as part of their infrastructure\r\nWe have their user IDs for multiple cryptocurrency exchanges and messaging platforms\r\nAttacker's data extracted from the C2 server\r\nhttps://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nPage 3 of 5\n\nThis intelligence has been shared with law enforcement agencies and provides investigators with concrete leads\r\nfor attribution.\r\nWe're currently working with law enforcement agencies to notify affected victims and coordinate efforts to take\r\ndown the attacker's infrastructure. But the reality is sobering: this campaign has been running for over a month,\r\nand it continues to spread.\r\nThe victims we found represent only a partial snapshot - what we could extract from one exposed endpoint. The\r\nreal scale of compromise is likely much larger.\r\nGlassWorm Spreads to GitHub\r\nOn October 31, 2025, security researchers at Aikido Security published findings showing that GlassWorm has\r\njumped to GitHub repositories. Developers contacted Aikido after discovering their own repositories had been\r\ncompromised with seemingly legitimate commits - project-specific code changes that appear to be AI-generated to\r\nblend in with normal development activity. Hidden within these commits: the same invisible Unicode malware\r\npattern, using Private Use Area encoding to conceal malicious payloads. The decoded payloads use the same\r\nSolana blockchain delivery mechanism we documented, confirming this is GlassWorm. Most significantly, stolen\r\nGitHub credentials are being used to push malicious commits to additional repositories - proving the self-propagating worm behavior we warned about in our original analysis.\r\nIOCs\r\nCompromised Extensions\r\nOpenVSX (November 2025 wave):\r\nadhamu.history-in-sublime-merge@1.3.4\r\nyasuyuky.transient-emacs@0.23.1\r\nai-driven-dev.ai-driven-dev@0.4.11\r\nFinal Thoughts\r\nThis writeup was authored by the research team at Koi Security, with gratitude to our partners in the security\r\nresearch community and a commitment to a safer open-source ecosystem.\r\nGlassWorm demonstrates why visibility and governance across the entire software supply chain is no longer\r\noptional. When malware can be literally invisible, when worms can self-propagate through stolen credentials,\r\nwhen attack infrastructure can't be taken down - traditional security tools aren't enough.\r\nWe've built Koi to meet this moment. Our platform helps discover, assess, and govern everything your teams pull\r\nfrom marketplaces like the Chrome Web Store, VSCode, Hugging Face, Homebrew, GitHub, and beyond. Trusted\r\nby Fortune 50 organizations, BFSIs, and some of the largest tech companies in the world, Koi automates the\r\nsecurity processes needed to gain visibility, establish governance, and proactively reduce risk across this sprawling\r\nattack surface.\r\nhttps://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nPage 4 of 5\n\nBook a demo to see how Koi closes the gaps that legacy tools miss.\r\nStay paranoid out there. Because in a world where malware can be invisible and worms can propagate themselves,\r\nparanoia isn't a bug - it's a feature.\r\nSource: https://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nhttps://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure"
	],
	"report_names": [
		"glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1777429331,
	"ts_updated_at": 1777450874,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a929b4976332e830ad15b2d48f955ee2ea044b7.pdf",
		"text": "https://archive.orkl.eu/4a929b4976332e830ad15b2d48f955ee2ea044b7.txt",
		"img": "https://archive.orkl.eu/4a929b4976332e830ad15b2d48f955ee2ea044b7.jpg"
	}
}