All news with #visual studio code tag

GlassWorm Resurfaces in VS Code Extensions and GitHub

🐛 Researchers have found a renewed wave of the GlassWorm supply-chain worm targeting Visual Studio Code extensions and GitHub repositories after it was previously declared contained. The malware hides JavaScript payloads in undisplayable Unicode characters, making malicious code invisible in editors, and uses blockchain memos on Solana to publish remote C2 endpoints. Koi researchers identified three newly compromised OpenVSX extensions and observed credential theft and AI-styled commits used to propagate the worm.

GlassWorm Malware Found in Three VS Code Extensions

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

Malicious Ransomvibe Extension Found in VSCode Marketplace

⚠️ A proof-of-concept ransomware strain dubbed Ransomvibe was published as a Visual Studio Code extension and remained available in the VSCode Marketplace after being reported. Secure Annex analysts found the package included blatant indicators of malicious functionality — hardcoded C2 URLs, encryption keys, compression and exfiltration routines — alongside included decryptors and source files. The extension used a private GitHub repository as a command-and-control channel, and researchers say its presence highlights failures in Microsoft’s marketplace review process.

Malicious VSX Extension 'SleepyDuck' Uses Ethereum

🦆 Researchers at Secure Annex warned of a malicious Open VSX extension, juan-bianco.solidity-vlang, that delivers a remote access trojan dubbed SleepyDuck. Originally published as a benign library on October 31, 2025, it was updated to a malicious release after reaching about 14,000 downloads. The extension triggers on opening a code editor window or selecting a .sol file, harvesting host details and polling an Ethereum-based contract to obtain and update its command server. It also contains fallback logic using multiple Ethereum RPC providers to recover C2 information if the domain is taken down; users should only install extensions from trusted publishers and follow vendor guidance.

Eclipse Foundation Revokes Leaked Open VSX Tokens Promptly

🔒 The Eclipse Foundation said it revoked a small number of Open VSX access tokens after Wiz reported several VS Code extensions had inadvertently exposed credentials in public repositories. The exposures were attributed to developer error, not an Open VSX infrastructure compromise. Open VSX introduced an ovsxp_ token prefix, removed flagged extensions, reduced default token lifetimes, and plans automated scans to bolster supply‑chain defenses.

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

Chinese TA415 Abuses VS Code Remote Tunnel for Espionage

🔒 Proofpoint reported that a China-aligned threat actor tracked as TA415 conducted spear-phishing in July–August 2025, impersonating U.S. policy officials and the U.S.-China Business Council to target government, think tank, and academic personnel focused on trade and economic policy. The messages delivered password-protected archives on public cloud services that contained a Windows shortcut which executed a hidden batch script and an obfuscated Python loader named WhirlCoil while displaying a decoy PDF. The loader establishes a VS Code Remote Tunnel to enable persistent backdoor access, harvests system and user data, exfiltrates it via base64-encoded HTTP posts to free request-logging services, and establishes scheduled tasks (e.g., GoogleUpdate) for persistence.

AWS Adds LocalStack Integration to VS Code Toolkit Extension

🧰 AWS has added a LocalStack integration for Visual Studio Code that enables developers to test and debug serverless applications locally from the IDE. The integration connects VS Code to a LocalStack-emulated environment without manual port configuration or code changes, exposing emulated services such as AWS Lambda, Amazon SQS, Amazon API Gateway, and DynamoDB. Available through the AWS Toolkit for VS Code (v3.74.0+), a guided walkthrough installs the LocalStack CLI, creates a LocalStack profile, and lets developers switch profiles and deploy to the LocalStack environment at no additional AWS cost.