GlassWorm: Your IDE Is the Attack Surface Now

A week ago, security researchers at Aikido, Socket, and StepSecurity disclosed that a coordinated supply chain campaign — tracked as GlassWorm / ForceMemo — had compromised 400+ code repositories across GitHub, npm, VS Code Marketplace, and OpenVSX. The attack started around March 8, 2026, and is still being cleaned up.

Here's what happened, why it matters more than a typical supply chain attack, and what it tells us about the security gap in modern developer environments.

The Attack Chain

GlassWorm isn't one vulnerability. It's a multi-stage campaign that chains together three different attack surfaces.

Stage 1: Malicious IDE extensions. The attackers published extensions on the VS Code Marketplace and OpenVSX — the registry that supplies Cursor, Windsurf, and other AI coding assistants. These extensions looked legitimate. Standard names, plausible descriptions, enough stars to pass a quick scan. Truesec's original analysis documented the self-propagating worm mechanism.

Stage 2: Credential harvesting. Once installed, GlassWorm's stage 3 payload aggressively harvests developer credentials from multiple sources:

• git credential fill
• VS Code extension storage
• ~/.git-credentials
• The GITHUB_TOKEN environment variable
• NPM authentication tokens
• Open VSX credentials

That's every place a developer's identity lives on their machine.

Stage 3: Silent repository poisoning. Using the stolen GitHub tokens, the attackers force-pushed malware into the target repositories. But not with a normal commit. They rebased on top of the latest legitimate commit, preserved the original commit message, author name, and author date, then force-pushed. In GitHub's UI, nothing looks different. No pull request. No new commit from an unfamiliar account. The malicious code appears as if the original developer wrote it.

Stage 4: Invisible payloads. The second wave used invisible Unicode characters — variation selectors and Private Use Area characters — to hide malicious code that appeared as empty lines in code editors. A GitHub code search for the decoder pattern returned at least 151 matching repositories, understating the true scope since many affected repos had already been deleted.

Why This One Is Different

We've seen supply chain attacks before. Typosquatting on npm. Malicious PyPI packages. Dependency confusion. Those attacks target the package installation step — you run pip install or npm install and hope nobody slipped something malicious into your dependency tree.

GlassWorm targets the developer's machine directly, through the tool they spend 8 hours a day inside.

Three things make it worse than what came before:

1. The IDE is a trusted context. Nobody treats installing a VS Code extension with the same caution as running an untrusted binary. Extensions are installed with one click. They run with full user permissions. They can read every file in your workspace, access environment variables, and communicate over the network. And they persist across every project you open.

2. AI coding assistants multiply the attack surface. Cursor, Windsurf, and other AI-powered editors are built on VS Code and use the same extension registries. The OpenVSX registry serves both standard IDEs and AI assistants. An AI coding assistant running with your credentials and a compromised extension has everything an attacker needs: your code, your tokens, and an automated process that writes and commits code on your behalf.

3. Force-push history rewriting leaves no trail. Traditional supply chain attacks leave forensic evidence: a new account that published a typosquatted package, a suspicious pull request from an unknown contributor. GlassWorm's technique of rebasing and force-pushing with the original author's identity creates commits that are forensically identical to legitimate work. The only way to detect it is to compare the commit hash against an external record of what the repository looked like before.

The Numbers

From the combined research of Aikido, StepSecurity, and Bleeping Computer:

• 433 compromised components identified across GitHub, npm, VS Code Marketplace, and OpenVSX
• 151+ repositories with invisible Unicode payload (understated — deleted repos not counted)
• 49 cryptocurrency wallet extensions targeted for credential theft
• 82% of 2,614 MCP implementations surveyed were vulnerable to path traversal — the same class of vulnerability GlassWorm exploits
• Targets include Django apps, ML research code, Streamlit dashboards, and PyPI packages
• Compromised machines are converted into SOCKS proxies and VNC-accessible endpoints

What This Means for AI Security

The GlassWorm campaign proves something we've been saying: the threat to AI-powered development isn't just what the AI says. It's the entire environment the AI operates in.

Your AI coding assistant inherits the security posture of your machine. If a malicious extension has access to your GitHub token, so does every agent running on your machine. If your credentials are exfiltrated, every automated commit — by your agent or the attacker — looks identical.

This is why network-layer visibility matters. You can't detect GlassWorm by scanning prompts. You can't detect it with a browser extension DLP tool. The malicious traffic — the credential exfiltration, the force-push to GitHub, the C2 communication to a Solana wallet address — happens at the network level.

A MITM proxy watching all outbound traffic from a developer machine can:

• Flag unexpected outbound connections from IDE processes
• Detect credential material (GitHub tokens, NPM tokens) being sent to non-standard destinations
• Alert on git push operations to repositories outside an approved list
• Catch the Solana RPC call used to retrieve the payload URL

None of the major enterprise DLP tools would have caught this. Netskope and Zscaler inspect AI API traffic. GlassWorm doesn't use AI APIs. It uses git, the VS Code extension API, and Solana RPC. Different protocols, different destinations, same developer machine.

What You Can Do Today

For individual developers:

• Audit your VS Code and Cursor extensions. The community has published detection scripts that check for known GlassWorm indicators.
• Check your ~/.git-credentials file. If you have one, consider rotating those tokens now.
• Enable GitHub's branch protection rules to prevent force pushes on critical branches.
• Use signed commits. They don't prevent the attack, but they make the forged history detectable.

For engineering leaders:

• Require extension allow-lists for developer IDEs. Don't let every developer install whatever catches their eye from the marketplace.
• Monitor outbound network traffic from developer machines. Not just AI API calls — all of it.
• Set up alerts for force-push events in your GitHub organization. This is the one forensic signal that GlassWorm leaves behind.
• Assume every developer credential on a compromised machine is burned. Rotate everything.

For security teams:

• Add IDE extension management to your threat model. If you're spending time securing your CI/CD pipeline but not the machine that pushes code to it, you have a gap.
• Network-level monitoring catches what endpoint tools miss. GlassWorm's C2 communication, credential exfiltration, and repository poisoning all generate network traffic that's detectable with the right visibility.

The Bigger Picture

GlassWorm is the first major attack that specifically chains IDE compromise → credential theft → repository poisoning at scale. It won't be the last.

The VS Code Marketplace and OpenVSX have the same structural problems that npm and Chrome Web Store have struggled with for a decade: low-friction publishing, minimal vetting, and an economic incentive for attackers that outpaces the defenders. Adding AI coding assistants to this ecosystem — tools that run with your credentials and autonomously write and commit code — makes the attack surface bigger and the blast radius wider.

The tools developers use every day are the attack surface now. Not the AI model. Not the API. The IDE, the extensions, and the credentials they all share.

---

CitrusGlaze is an open-source AI security proxy that monitors all network traffic from developer machines — AI API calls, git operations, credential flows, and everything else. Install in 5 minutes. See what your tools are actually doing.

Sources:

• Bleeping Computer: GlassWorm malware hits 400+ code repos
• The Hacker News: GlassWorm Attack Uses Stolen GitHub Tokens
• Truesec: GlassWorm Self-Propagating VSCode Extension Worm
• Aikido: GlassWorm Returns — Unicode Attack
• StepSecurity: ForceMemo — Python Repos Compromised
• WinBuzzer: Glassworm Invisible Unicode Supply Chain Attack
• GitHub: GlassWorm Detector
• Practical DevSecOps: MCP Security Vulnerabilities