Security Strategies
GlassWorm Returns: How Malicious VS Code Extensions Are Quietly Expanding Your Attack Surface
Andrew Mason
May 11, 2026
Summary
GlassWorm is a resurgence of malicious VS Code extensions that expands attack surfaces by targeting developer machines holding sensitive credentials and code, evading traditional security detection. Learn detection and mitigation tips.

GlassWorm Returns: How Malicious VS Code Extensions Are Quietly Expanding Your Attack Surface

In today’s rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated. One such emerging threat is the resurgence of GlassWorm, a notorious set of malicious VS Code extensions. This blog delves into how this particular supply chain attack is expanding attack surfaces and why it's catching security leaders and DevSecOps teams off guard.

Understanding GlassWorm

GlassWorm refers to a series of malicious extensions for Visual Studio Code (VS Code), a widely used code editor. These extensions, once installed, can operate with the same permissions as the developer, accessing critical assets such as credentials, source code, and cloud infrastructures. This poses a significant risk as it can lead to unauthorized data access and manipulation.

The Threat of Malicious VS Code Extensions

VS Code extensions are underrated as an attack vector primarily because developer environments are considered somewhat isolated. However, these environments often hold sensitive information, having access to various cloud environments and critical repositories. This access, when exploited, makes malicious extensions potent tools for expanding an organisation's external attack surface.

Expanding Attack Surfaces

Compromised extensions push the boundaries of your traditional attack surface management. Developer workstations housing these extensions can connect to internal APIs, remote servers, and more. As such, they inadvertently become gateways for attackers to infiltrate systems beyond the traditional perimeter.

Limitations of Traditional Scanners and EDR

Traditional security solutions, such as endpoint detection and response (EDR) and static scanners, often fall short in detecting these types of threats. EDRs may not flag such extensions if they do not perform any overt malicious action immediately post-installation. Moreover, static scanners may not thoroughly vet extensions from trusted markets.

Steps for Detection and Mitigation

  1. Regularly review installed extensions: Enforce policies that require scrutiny over which extensions can be installed by developers.
  2. Implement behavioural analysis: Leveraging AI-powered solutions to detect deviations in normal extension behaviours can preemptively identify threats.
  3. Educate developers: Training them to recognise signs of potential malicious extensions and encouraging them to work within a secure development lifecycle.

FAQ

What is GlassWorm?

GlassWorm represents a series of malicious extensions for VS Code intended to access sensitive developer resources covertly.

Why are VS Code extensions a hidden threat?

They often have access to critical developer resources like source code and cloud credentials, making them potential vectors for expanded attack surfaces.

How do these extensions expand attack surfaces?

They provide attackers pathways beyond traditional boundaries, tapping into developer machines that interface with broader systems and networks.

Can traditional scanners detect these threats effectively?

No, traditional EDRs and scanners may not detect these threats unless there's immediate visible malicious activity.

How can organisations protect themselves?

By performing regular audits of VS Code extensions, educating developers, and using behavioural analysis tools to detect deviations from normal operations.

CTA: Discover hidden exposures across your developer ecosystem with DarkInvader.

Blog Categories

All
News & Releases
EASM
Security Strategies
Cybercrime
OSINT
AI Threats
Dark Web

Blog Tags

AI
Attack Surface Management
Brand Protection
Compliance
Credential Theft
Crypto Crime
Cyber War
Dark Web
Dark Web Monitoring
Data Breach
Deepfakes
Digital Identity
Domain Security
DORA
EASM
Executive Protection
Exposed Assets
Extortion
Fake Websites
GDPR
I2P
Malware
Marketplaces & Forums
OSINT
Phishing
Privacy
Ransomware
Social Media Risk
Supply Chain Risk
Telegram
Threat Intelligence
Tor
Typosquatting
Vulnerability Management
Website Takedowns
Zero Trust
Andrew Mason

Andrew is an entrepreneur and technology leader with a strong track record of building, scaling, and exiting high-growth technology businesses. He is the founder of several award-winning companies including RandomStorm, Data Protection People, RapidSpike, Pentest People, and DarkInvader, each operating at the forefront of cybersecurity, risk management, and digital resilience. Across these ventures, Andrew has consistently focused on creating commercially successful businesses grounded in deep technical capability and clear market need.

Sign Up for Your Free Account

Unlock full visibility of your external attack surface with DarkInvader’s continuous, real-time monitoring. Create your free account to discover unknown assets, detect emerging risks and stay ahead of potential threats before attackers can exploit them.

Create My Free Account

Platform Features

Asset DiscoveryAsset MonitoringVulnerability ScanningDark Web MonitoringTelegram MonitoringPeople Monitoring
Leaked CredentialsOSINT MonitoringDNS MonitoringBrand MonitoringVIP MonitoringResearch TeamGlobal Threat Intelligence
Website TakedownsNyx, AI Security ConsultantManagement ReportsThird-Party IntegrationsClient-Facing APISupplier Risk Management

Company

AboutPartnersPlansContact

Resources

Privacy PolicyFAQBlog

Platform 7D, New Station Street, Leeds,
LS1 4BT, United Kingdom

©2026 DarkInvader, All Rights Reserved