Glassworm Strikes Again: Third Wave of VS Code Attacks Emerges

Cybersecurity threats are growing every year, and some of them are becoming more dangerous, more advanced, and harder to detect. One of the newest threats discussed by security researchers is something they call Glassworm, a type of malicious attack targeting Visual Studio Code (VS Code) users. VS Code is one of the most popular code editors in the world, used by millions of developers, students, companies, and IT professionals. That is what makes this attack especially concerning.

Over the past few months, researchers have warned that a third wave of Glassworm attacks is spreading again, this time using more complex tricks and delivering more harmful payloads. Many people rely on VS Code every day, so it is extremely important to understand what this threat is, how it works, and what steps you should take to protect yourself.

Also Read: Unpacking Big Tech’s Complex Role in Global Cybersecurity

In this article, we will explore everything in simple, easy-to-understand English, even if you are not a developer or cybersecurity expert. We will talk about how Glassworm works, why attackers target VS Code, signs that you may be infected, how to stay safe, and where to learn more. You will also find helpful links under relevant words to trusted websites like Microsoft, GitHub, NIST, Cisco, Google Cloud, and OWASP that provide deeper knowledge and updates on cybersecurity.

Let’s begin our journey into understanding this new attack wave in the world of software development.

What Is Glassworm?

Glassworm is a name researchers use for a group of malicious attack methods targeting developers through their VS Code environment. Think of it as a sneaky parasite that hides inside files, extensions, or settings and activates when you open or run something inside VS Code.

While the exact details of Glassworm may vary from report to report, the core idea remains the same: attackers try to trick users into downloading dangerous files, unsafe extensions, or harmful scripts that look normal but secretly run malicious code.

Security experts often describe it as a “supply chain attack,” a type of attack that tries to compromise tools developers use every day. If you want to learn more about supply chain attacks in general, you can visit the NIST cybersecurity page for official and easy-to-understand information.

Glassworm targets developers because developers usually:

• Download code samples
• Install many extensions
• Clone repositories from GitHub
• Work with scripts and automation tools
• Use shared code from different sources

This makes them the perfect target for attackers who hide malicious code inside what appears to be useful files.

Why VS Code Is the Main Target

VS Code, created by Microsoft, is one of the most widely used code editors in the world. According to the VS Code website, millions of people use it for web development, mobile apps, data science, machine learning, cloud computing, and much more. Because it is so popular, attackers see it as a massive opportunity.

VS Code is easy to extend with plugins. Many developers use dozens of extensions for linting, debugging, formatting, or improving productivity. Some of these extensions are built by small teams or independent developers, which makes them easier for attackers to mimic, copy, or manipulate.

Attackers often use the following tricks:

• Fake VS Code extensions that look real
• Malicious updates pushed through unverified sources
• Infected GitHub repositories
• Dangerous scripts hidden in project folders
• Auto-run tasks triggered when VS Code opens

If you want to learn how VS Code extensions work, you can explore the official documentation on GitHub Docs or the main VS Code extension marketplace on Visual Studio Marketplace.

The attackers know that developers trust extensions and shared code, so they use this trust to deliver Glassworm payloads without raising suspicion.

A Quick Look at the First and Second Waves of Attacks

Before understanding the third wave, it helps to know what happened earlier. According to cybersecurity researchers, the first wave of Glassworm attacks mainly focused on infected project files. These were simple payloads hidden in JavaScript, Python, or shell scripts that activated when developers opened or ran them.

The second wave of attacks quickly became more advanced. Attackers started using fake VS Code extensions that looked real, had thousands of downloads, and sometimes even copied the names of legitimate extensions. These attackers took advantage of the fact that many users install extensions without checking their security.

Researchers in companies like Cisco Talos and Microsoft Security started analyzing suspicious behavior patterns and found increasing signs that these attacks were organized.

Now, security analysts believe the threat has entered a third and more dangerous phase.

The Third Wave: What’s New and More Dangerous

The new wave of Glassworm attacks is more alarming for several reasons. It uses better disguises, stronger hiding techniques, more aggressive payloads, and smarter spreading mechanisms. Here are some of the common features seen in the third wave:

More Convincing Extensions

Fake extensions now use:

• Realistic icons
• Detailed descriptions
• Fake author names
• Fake update logs
• Fake GitHub links

These extensions look very real, and most users cannot tell the difference.

Scripts That Auto-Execute on Launch

Some payloads are designed to run the moment VS Code opens the project folder. Attackers use VS Code’s built-in features like tasks.json or debugging scripts to trigger harmful commands.

Payloads That Steal Developer Credentials

Newer versions aim to steal:

• GitHub tokens
• API keys
• Cloud credentials
• SSH keys
• Environment variables

You can learn about protecting developer credentials from sources like GitHub Security and Google Cloud Security.

Self-Spreading Mechanisms

Some Glassworm payloads copy themselves into:

• Other project folders
• Shared workspaces
• Cloud-synced directories

This allows the infection to spread to other developers on a team.

Better Obfuscation

Attackers hide the code using:

• Encryption
• Minified scripts
• Nested folders
• Fake error messages

This makes detection harder.

The third wave of Glassworm is not just an attack—it is an organized effort to compromise developer ecosystems.

How Glassworm Works Step-by-Step

Understanding how the attack operates can help users stay safe. Here is a simplified explanation:

Step 1: Users Download Something Suspicious

This could be:

• A project from GitHub
• A ZIP file from a tutorial
• A third-party extension
• A snippet copied from a forum

Many people download these without checking their source.

Step 2: VS Code Triggers Auto-Run Tasks

Glassworm often hides in:

• launch.json
• tasks.json
• scripts in package.json
• Python virtual environments
• Debugger configurations

VS Code runs these tasks automatically.

Step 3: The Payload Activates

The payload may:

• Download more malware
• Steal credentials
• Modify system files
• Change VS Code settings
• Record keystrokes
• Send data to attacker servers

Step 4: It Spreads Silently

Glassworm tries to remain hidden while spreading to other folders or even other developers on the same team.

You can learn more about how VS Code tasks work through the official documentation on the Visual Studio Code website.

Why Glassworm Is Hard to Detect

Glassworm uses several techniques that confuse normal users:

• It hides inside legitimate-looking files
• It disguises itself as normal developer scripts
• It mimics real extensions
• It avoids antivirus detection by running inside VS Code
• It delays its execution to avoid suspicion

Security researchers and ethical hackers often use tools like those recommended by OWASP to analyze this type of attack.

Who Is Most at Risk?

The Glassworm threat mainly affects:

• Freelance developers
• Beginner programmers
• Students working on shared projects
• Startups with limited security
• Developers who install many extensions
• Teams that clone random GitHub repositories
• Organizations without strong cybersecurity policies

If your work involves cloud computing, DevOps, or automation, the risk increases even more.

For teams working in the cloud, resources from AWS Security or Azure Security provide helpful guidance.

Signs You May Be Infected

Glassworm infections can sometimes be subtle. Here are some warning signs:

• VS Code installs unexpected extensions
• Terminal runs commands automatically
• Strange scripts appear in project folders
• Unknown tasks activate during startup
• GitHub shows suspicious commits
• Your API keys suddenly stop working
• Unfamiliar pop-ups appear
• Strange network activity starts happening

If you see any of these signs, it is important to secure your system immediately.

How to Protect Yourself from Glassworm

Thankfully, there are many simple steps you can take to stay safe.

Download Extensions Only from Trusted Sources

Stick to the official VS Code marketplace and check reviews, download numbers, and publisher names.

Avoid Running Code from Unknown Repositories

Before cloning a repo, check:

• Who published it
• How many stars it has
• How recent the commits are

GitHub offers security scanning tips on its security best practices page.

Do Not Trust Random Scripts Shared on Forums

Attackers sometimes post “helpful” scripts that contain hidden malicious commands.

Enable Security Tools

You can use protections from:

• Microsoft Defender
  
• Cisco Talos
  
• Cloudflare Security
  

Keep Your System Updated

Updates often include patches for newly discovered vulnerabilities.

Use Credential Managers

Store secrets using protected tools recommended by companies like HashiCorp and GitHub Actions Security.

Disable Auto-Run Tasks in VS Code

Review your settings before allowing automated scripts.

What To Do If You Think You Are Infected

If you suspect you are a victim of Glassworm, follow these steps:

1. Disconnect your internet connection.
2. Review all installed VS Code extensions.
3. Scan your entire machine using a trusted security tool.
4. Check for suspicious tasks in .vscode folders.
5. Reset your credentials (GitHub, cloud accounts, etc.).
6. Update your antivirus software.
7. Reinstall VS Code from the official website.

If you are working in a company, notify your security team immediately.

What This Attack Means for the Future

The rise of Glassworm shows that developer tools are becoming a high-value target for attackers. As software development becomes more connected to cloud environments, DevOps pipelines, and automated tools, attackers will continue to search for new ways to break into systems.

Security experts believe we will see more threats similar to Glassworm as attackers get smarter. Companies such as Google Cloud and Microsoft are already working on solutions, but developers must also take responsibility for safe coding habits.

Final Thoughts

The third wave of Glassworm attacks is a strong reminder that cybersecurity is not only a problem for large companies—it is a challenge for everyone. Whether you are a beginner, a freelancer, or a senior developer, you must stay aware, updated, and cautious when working with code, scripts, and extensions.

VS Code is a powerful tool, but its flexibility also makes it vulnerable. By educating yourself, using trusted tools, and following safe practices, you can protect your system and prevent attackers from exploiting your environment.

Glassworm is dangerous, but knowledge is your best defense. Stay alert, stay informed, and always trust reliable sources before downloading anything.

FAQ: Glassworm Strikes Again — Third Wave of VS Code Attacks

1. What is Glassworm and why is it considered dangerous?

Glassworm is a powerful and highly advanced malware family specifically designed to target developers through tools like Microsoft Visual Studio Code (VS Code). It is extremely dangerous because it hides inside extensions, mimics trusted files, and secretly steals sensitive information such as login credentials, tokens, SSH keys, and even source code. It can also give attackers remote control of the infected system. Unlike normal malware, Glassworm is modular, meaning attackers can add, remove, or upgrade parts of it anytime, making it very hard to detect and stop.

2. How does Glassworm infect Visual Studio Code users?

Glassworm most commonly spreads through fake or modified VS Code extensions that look completely harmless. When a user installs one of these extensions, the malware silently activates in the background. It can also spread through malicious project files, cloned GitHub repositories, or downloaded open-source packages. The scary part is that it rarely shows symptoms. Most victims have no idea their system is infected until significant damage has been done.

3. What makes this “third wave” of attacks more serious than the previous ones?

The third wave of Glassworm attacks is more dangerous because it uses new techniques that make it almost invisible to traditional antivirus tools. It now spreads through trusted developer ecosystems and can automatically update itself using remote command-and-control servers. This wave also steals much more sensitive data, including cloud tokens, API keys, and configuration files used to deploy apps. Since so many companies rely on cloud services and repositories, the potential for widespread damage is bigger than ever.

4. Can Glassworm steal my code or intellectual property?

Yes. One of Glassworm’s primary goals is to steal source code, project structures, design documents, and internal development secrets. If you work for a company, this could mean leaking confidential projects. If you are an independent developer, it may expose private projects, early app builds, or sensitive algorithms. Attackers often sell this information on the dark web or use it to attack the software supply chain of the victim’s company.

5. How can I check if my VS Code installation is infected?

Detecting Glassworm is not simple because it is designed to hide extremely well. However, there are warning signs you can look for. Check if there are unknown extensions installed in VS Code, especially ones that were not downloaded from the official marketplace. Look for unexpected network activity when your VS Code is idle. Scan your system for strange background processes and inspect your project folders for unfamiliar scripts. Security tools like Windows Defender, CrowdStrike Falcon, or Malwarebytes may detect some versions of Glassworm, but not all.

6. What should I do immediately if I suspect a Glassworm infection?

The first step is to disconnect your computer from the internet to stop the malware from sending your data to attackers. Next, create a backup of important files—but avoid copying suspicious project folders or extensions. Run a full system scan using multiple security tools. After that, reset or reinstall VS Code completely. If you work in a company, notify your IT or cybersecurity team immediately because your infection may endanger the entire software supply chain. Finally, change all passwords, especially GitHub, SSH, cloud platforms, and developer tools.

7. How can developers protect themselves from Glassworm?

Developers should stick to trusted sources when downloading extensions and always verify the publisher’s identity. Regularly check for security alerts on GitHub repositories before cloning them. Enable two-factor authentication on GitHub, GitLab, cloud services, and developer tools. Keep your operating system, antivirus, and VS Code updated. Scan your packages and dependencies using tools like npm audit, pip audit, or GitHub’s Dependabot. Also, avoid running unknown scripts or tasks inside VS Code, especially ones found online.

8. Are open-source developers more at risk from Glassworm?

Yes, open-source developers are often bigger targets because they work with many repositories, contributors, and packages from all over the world. Attackers know that open-source maintainers frequently install and test new packages or extensions, which increases the chance of downloading something malicious. Additionally, if Glassworm compromises one developer, it may gain access to large open-source projects that millions of people depend on. This creates a massive supply-chain risk.

9. Does Glassworm affect only Windows users, or can macOS and Linux be targeted too?

Although the earlier versions of Glassworm were mainly focused on Windows, the later waves—including the third wave—are now cross-platform. This means they can infect macOS and Linux systems as well. Because VS Code works the same way across all operating systems, attackers can easily adapt their malware to target developers regardless of their device. Linux users are especially at risk because many assume they are safe and may not use strong antivirus protection.

10. Will VS Code extensions ever be completely safe from threats like Glassworm?

No platform can ever be 100% safe, but the security of VS Code extensions can improve over time. Microsoft is already working on stricter verification, better malware scanning, and improved security policies. However, because extensions are created by third-party developers, there will always be risks. Attackers constantly find new vulnerabilities in supply chains, package managers, and open-source ecosystems. The best defense is a combination of strong security practices from both Microsoft and the users themselves.