The invisible threat we’ve tracked for nearly a year has re-emerged. While the PolinRider campaign compromised hundreds of GitHub repositories, we now see a sharp rise in glassworm activity impacting GitHub, NPM, and VS Code.
Last October, we urgently warned about how hidden Unicode characters compromised GitHub repositories, a method unmistakably linked to glassworm. Now the situation is critical. Glassworm has resurfaced this month, and high-profile repositories are already affected, including those from Wasmer, Reworm, and OpenCode-Bench from anomalyco, the team behind OpenCode and SST.
A Year Tracking the Invisible Code Campaign
- In March 2025, Aikido first finds malicious NPM packages that hide payloads using PUA Unicode characters.
- In May 2025, we will publish a blog post explaining the risks of invisible Unicode and how attackers can use it in supply chain attacks.
- On October 17, 2025, we found compromised extensions on OpenVSX that use the same technique.
- On October 31, 2025, we discovered that attackers had started targeting GitHub repositories.
- In March 2026, a new large-scale attack compromised hundreds of GitHub repositories, and NPM and VS Code were also affected.
A Quick Reminder
Before we uncover just how widespread this alarming new wave is, let’s quickly review how the attack works. Even with months of warnings, it continues to catch developers and tools off guard.
The attack exploits invisible Unicode characters that escape detection in nearly every editor, terminal, and code review tool. Attackers conceal dangerous payloads within what appears to be empty strings. When the JavaScript runtime executes cold code, a disorder instantly extracts the real bytes and sends them straight to eval(), unleashing the full threat.
Cybersecurity researchers have identified three new extensions linked to the Glassworm campaign, indicating continued targeting of the Visual Studio Code (VS Code) ecosystem.
These extensions remain active threats and can still be downloaded right now. They are:
- AI-driven-dev.ai-driven.dev 3402 Downloads
- Adhamu.history-in-sublime-merge 4057 downloads
- Yasuyuky.transient.emacs 2431 Downloads
Glassworm was first reported by Koi Security late last month. Attackers are exploiting VS Code extensions from both the Open VSX Registry and Microsoft Extension Marketplace to steal Open VSX, GitHub, and Git credentials. They actively drain funds from 49 cryptocurrency wallet extensions and install extra remote access tools, escalating the threat to urgent levels.
This malware is particularly dangerous because it hides its code using invisible Unicode characters in code editors, stolen credentials fuel a self-replicating infection cycle that rapidly spreads across systems, making it difficult to stop the worm-like attack.
Based on this evidence, Open VSX said it had found and removed all malicious extensions and had changed or revoked related tokens as of October 21, 2025. However, Koi’s Security’s latest report shows the threat has returned, using unusable Unicode characters to avoid detection.
The attacker submitted a new Solana blockchain transaction that updated the C2 endpoint for malware downloads, according to security researchers Idan Dardikman, Yuval Ronan, and Luton Sery. This shows the resilience of blockchain-based C2 infrastructure. Even if servers shut down, the attacker can post a cheap transaction, and all infected machines get the updated location.
The security vendor also found an exposed endpoint on the attackers’ server, revealing a partial victim list across the US, South America, Europe, Asia, and a major Middle East government entity.
Further analysis found keylogger data that seems to come from the attacker’s own machine. This has provided some indications about where glassworms come from. The attacker is believed to be Russian-speaking and uses an open-source browser extension C2 framework called Redext as part of their setup.
These are real organizations and real people whose credentials are being harvested now, whose machines may be serving as criminal proxy infrastructure and whose internal networks could be compromised at any moment, Koi Security said.
The alarming news follows reports from Aikido Security that Glassworm is actively targeting GitHub, with stolen credentials being used to push malicious commits and cause immediate harm.
Sources: GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
