GlassWorm Has Had a Busy March
433 compromised components across GitHub, npm, VSCode, and OpenVSX in two weeks. Here is what GlassWorm is doing, how it works, what to check right now, and how to vet extensions before you install them.
If you have not been paying attention to the GlassWorm supply chain campaign, now is a good time to start. Over the past few weeks it hit 433 components across GitHub, npm, VSCode, and OpenVSX, and the techniques keep getting more sophisticated.
The original trick was invisible Unicode characters: malicious payloads hidden in what looks like empty strings, completely invisible in your editor, terminal, and code review interface. When the JavaScript runtime hits it, a small decoder extracts the bytes and passes them to eval(). By October 2025 it was already hitting VS Code extensions. In March 2026 it escalated significantly.
ForceMemo: The GitHub Takeover Variant
The newest variant, dubbed ForceMemo, steals GitHub tokens via malicious VS Code and Cursor extensions, then uses them to force-push malicious code into every repository the compromised account owns. It rewrites git history, preserves the original commit message and author date, and leaves no pull request or commit trail in GitHub's UI. You would not know it happened just by looking at the repo.
The scale of the March 2026 wave:
- 200 GitHub Python repositories
- 151 GitHub JS/TS repositories
- 72 VS Code/OpenVSX extensions
- 10 npm packages
All in roughly two weeks.
The Solana C2
The C2 infrastructure runs through the Solana blockchain. The malware queries a wallet's transaction memo field every 5 seconds for updated payload URLs. The attacker has been rotating those URLs regularly, sometimes multiple times a day. The same wallet address appears across multiple attack waves, which is how researchers connected the dots and attributed it all to a single threat actor.
The earliest C2 transaction dates to November 27, 2025, more than three months before the first GitHub repo injections in March 2026. This was a patient, staged operation.
What to Check Right Now
If you install Python packages directly from GitHub or run cloned repos, check your codebase for the marker variable lzcdrtfxyqiplpd. Also look for:
~/init.jsonon your system (persistence marker)- Unexpected Node.js installs in your home directory (
~/node-v22*) - Suspicious
i.jsfiles in recently cloned projects - Git commit histories where the committer date is significantly newer than the author date
That last one is the tell for the force-push technique. Legitimate commits don't have that gap.
Where VS Code Extensions Live on Your System
GlassWorm enters through your IDE. Once an extension is installed, it runs with your full user privileges every time VS Code starts. Knowing where those files land is the first step to auditing them.
Windows: %USERPROFILE%\.vscode\extensions (e.g., C:\Users\YourName\.vscode\extensions)
macOS / Linux: ~/.vscode/extensions (e.g., /home/yourname/.vscode/extensions)
Remote Development / Codespaces: ~/.vscode-remote/extensions
Each extension gets its own subdirectory named publisher.extensionname-version. The actual code is in there, readable, and you can grep it. If you want to check a specific extension for the GlassWorm Unicode decoder pattern, look for files containing codePointAt combined with 0xFE00 or 0xE0100 in the extension's JS files.
How to Vet an Extension Before Installing
The marketplace star count and download numbers mean very little. GlassWorm operators inflated download counts artificially. Here is what actually matters.
Check the publisher identity. On the VS Code Marketplace, click the publisher name and look at their other extensions. A publisher with one extension, created last month, with no website and no linked GitHub is a yellow flag. GlassWorm used typosquatted publisher names like daeumer-web to impersonate the legitimate ESLint maintainer dbaeumer.
Read the source before you run it. Every extension is a zip file (VSIX). You can download it manually from the marketplace and inspect the contents before installing. The file that matters most is extension/out/extension.js or similar. Search for eval, Function(, invisible Unicode ranges, and outbound network calls to unfamiliar domains.
Check the GitHub repo, not just the marketplace page. A legitimate extension has an active repo with a real commit history, issues, and contributors. If the marketplace page links to a GitHub repo that was created two weeks ago with one commit, do not install it.
Watch for extensionPack and extensionDependencies in package.json. GlassWorm's latest technique uploads a clean extension first, then updates it to pull a malicious loader as a dependency. Before installing, download the VSIX and check the package.json manifest for any dependencies or pack entries. Verify those extension IDs exist on the marketplace and are what they claim to be.
Use Aikido SafeChain or similar tooling for npm. For npm packages the same principle applies. Tools like Aikido SafeChain wrap your package manager and flag known-malicious packages before they install.
The uncomfortable truth is that the VS Code marketplace does not have mandatory code review. Extensions are published with minimal friction. The responsibility for vetting lands on you.
References
- BleepingComputer, Mar 17: GlassWorm malware hits 400+ code repos
- Aikido Security, Mar 13: GlassWorm Returns: Invisible Unicode Attacks
- The Hacker News, Mar 17: ForceMemo / stolen GitHub tokens
- The Hacker News, Mar 14: 72 Open VSX extensions