Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.

The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025.

What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism.

Another novel aspect is that the GlassWorm campaign relies on "invisible Unicode characters

See Full Page