GlassWorm Weaponized VS Code's Own Extension System. 72 Packages. We Have 177 IOCs.

GlassWorm didn't write a zero-day. It didn't exploit a memory corruption bug in VS Code. It read the documentation.

The extensionPack and extensionDependencies fields in the Open VSX manifest format exist so extension authors can bundle related tools — install one extension, get three more automatically. It's a convenience feature. GlassWorm turned it into a malware delivery mechanism. Install one poisoned extension, and VS Code silently pulls two or three more from the registry, each one a layer deeper into the payload chain.

Seventy-two extensions. Transitive delivery. Your security scanner sees the parent install and flags nothing, because the parent is clean.

Our SSLBL ingest started flagging GlassWorm C2 infrastructure before the campaign got public attribution. Right now, confirmed in our index:

199.247.10.14 on port 4789 — GlassWorm command-and-control, SSLBL-flagged.

208.76.223.59 on port 80 — GlassWorm C2, SSLBL-flagged.

217.69.11.99 — two active endpoints: port 4789 WebSocket C2, and a module-fetch path at /module/wrtc serving the WebRTC component that GlassWorm uses for peer-to-peer exfil.

177 total IOCs across domains, IPs, and certificate hashes in our feed. The WebRTC exfil channel is the part that keeps me up at night — it looks like legitimate video conferencing traffic to any DPI appliance that isn't doing full TLS inspection.

The GlassWorm campaign doesn't operate in isolation. Our npm/PyPI supply chain index shows 41 correlated hits — same SmartLoader delivery pattern, same ZIP-on-GitHub distribution infrastructure, different packaging. The pattern is:

A fake package repo on GitHub. A ZIP archive with a legitimate-looking name. URLhaus flagged multiple: github.com/juwad65/npm-malware-scanner and github.com/UlaLee/skills-npm both hosting SmartLoader payloads in test fixture paths — node_modules/test-pkg-a/npm_skills_celeste.zip being a particularly brazen filename choice.

SmartLoader is the first-stage dropper. GlassWorm is what it installs when it lands on a developer machine. The target in both cases is the same: developer workstations, CI/CD credentials, repository access tokens.

A developer machine that has committed to your production repository has the keys to everything that repository touches. It doesn't matter how good your cloud security posture is if the person with write access to your infrastructure-as-code repo has GlassWorm sitting in their VS Code extension directory.

This is the supply chain attack that doesn't require you to compromise a vendor. It compromises the human whose credentials give them vendor-level access.

The 72 Open VSX extensions GlassWorm weaponized were reviewed, starred, had legitimate descriptions, and some had been in the registry long enough to accumulate real install counts. The transitive delivery chain means your developer never clicked "install" on the malicious extension — they installed something that looked fine, and VS Code did the rest automatically.

Audit your VS Code extension list. Pay particular attention to any extension with an extensionPack or extensionDependencies manifest field — those are the delivery vectors. Any extension you can't attribute to a named, verifiable publisher with a public identity should be treated as suspect.

Block the three C2 IPs at your perimeter: 199.247.10.14, 208.76.223.59, 217.69.11.99. The port 4789 and WebSocket traffic patterns are distinct enough to flag on any modern NGFW.

Cross-reference your developer workstations against the full 177-IOC GlassWorm set. It's in our STIX feed at analytics.dugganusa.com, updated daily, no paywall.

GlassWorm is elegant in a way that makes it annoying to defend against. It didn't break anything. It used documented, supported functionality in a registry that exists specifically to make extension distribution easy. The same mechanism that lets a legitimate productivity extension bundle its dependencies is the mechanism that let 72 malicious extensions chain together their payload delivery.

The defense isn't to disable extension dependencies — that breaks half the ecosystem. The defense is to know exactly what's running in your development environment and to have IOC coverage that catches the C2 traffic when the initial install check fails.

177 IOCs. Free feed. Pull it now.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com