Malicious VS Code extensions resurface, stealing GitHub credentials and crypto wallets
2025-11-11 01:05
Developers will have to contend with a dormant turned active malicious code on Visual Studio Code (VS Code) extensions, which is believed to have compromised thousands of users by stealing credentials for GitHub, Open VSX, and cryptocurrency wallets. Operation GlassWorm, first identified by cybersecurity firm Koi Security late last month, was created by a group hacking VS Code extensions distributed through both the Open VSX Registry and Microsoft’s Visual Studio Marketplace. The bad actors have reportedly been embedding invisible malicious code within legitimate-looking developer tools. Koi security researchers say the campaign is mainly to harvest developer credentials like NPM tokens, GitHub logins, and Git credentials, to enable supply chain compromise and financial theft. According to Koi’s analysis, the same malware has also targeted 49 different cryptocurrency wallet extensions, draining user funds and exfiltrating sensitive data to remote servers. GlassWorm turns developer machines into criminals’ aid As reported by Koi’s team...
