β–ˆβ–ˆFRβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆINTELLβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

🚨URGENT: A Self-Propagating Worm Is Hitting VSCode Extensions Right Nowβ€” Here’s How to Protect Yourself


This content originally appeared on DEV Community and was authored by Ishaan Agrawal

Hey everyone, this is a quick but urgent post. A new, highly sophisticated worm is actively targeting developers on both the VSCode and OpenVSX marketplaces.

It’s called “Glassworm,” and you need to know about it.

What is Glassworm?

This isn’t your typical malware. According to a new incident report, Glassworm is the first self-propagating worm to use invisible Unicode characters to hide its malicious code.

This means the malicious parts of the code can be completely invisible during a standard code review, making it incredibly stealthy and dangerous.

Why This Is So Dangerous

When an infected extension is installed, it’s a full-blown disaster. The worm is a Remote Access Trojan (RAT) that immediately gets to work:

  • Steals Credentials: It harvests your NPM, GitHub, and Git credentials.
  • Spreads Itself: It uses those stolen credentials to infect other packages and extensions you have access to, just like a true worm.
  • Drains Wallets: It actively targets 49 different cryptocurrency wallet extensions.
  • Hijacks Your Machine: It deploys SOCKS proxies (turning your dev box into a criminal proxy) and installs a hidden VNC for full remote access.

To make matters worse, its command-and-control server is reportedly blockchain-based, making it extremely difficult to shut down.

How to Protect Yourself RIGHT NOW

We all install extensionsβ€”themes, linters, snippets. We trust them. But this incident proves we can’t be complacent. The most immediate action you can take is to scan your extensions.

A fantastic (and free) tool for this is vscan.dev.

It’s a security analyzer built specifically for VS Code extensions. You can paste in the name of an extension, and it will run a deep analysis of its code, permissions, dependencies, and network activity before you install it. It’s designed to catch exactly this kind of suspicious behavior.

Your New Security Workflow (Starting Today)

  1. Audit Your Current Extensions: Go to vscan.dev and check the extensions you already have installed.
  2. Scan Before You Install: Make this a new habit. Before you click “Install” on any new extension, run it through vscan.dev first.
  3. Review the Report: Look for red flags like dangerous API usage, suspicious network connections, or vulnerable dependencies.

This is an active, ongoing threat. Don’t assume your editor is safe. Take 10 minutes, scan your tools, and stay vigilant.

Stay safe out there.


This content originally appeared on DEV Community and was authored by Ishaan Agrawal