The world of software development is currently under a major attack as a new, self-spreading virus named “GlassWorm” has begun tearing through popular coding environments. This isn’t just a simple bug; it is a sophisticated piece of digital “malware” designed to jump from one developer’s machine to another by hiding inside the tools they use every day. Specifically, the virus is targeting extensions for Visual Studio Code (VS Code), which are the small plugins developers install to make their jobs easier. By sneaking into these trusted tools, the attackers have found a way to bypass traditional security and gain full control over professional workstations.

The way this virus hides is particularly clever and scary. It uses “invisible” text characters that computer screens don’t show to the human eye, but the computer still reads as instructions. This means that even if a cautious developer looks at the computer code to see if anything is wrong, everything appears perfectly normal. The malicious instructions are tucked away in the shadows of the digital files, allowing the virus to sit right under everyone’s noses without being noticed during routine checks.

A Triple Threat That Never Quits

What makes GlassWorm truly dangerous is its “brain” or command center. Usually, when security experts find a virus, they can shut down the server it talks to. However, the people behind GlassWorm have built a triple-layered backup system that is almost impossible to kill. First, they use the Solana blockchain—the same technology used for digital currencies—to send orders. Because the blockchain is decentralized, there is no single “off switch” to stop it. If that fails, they have a direct connection to a private server, and as a third backup, they are even using Google Calendar to coordinate their moves.

This level of persistence is rarely seen. By utilizing legitimate services like Google and permanent structures like the blockchain, the hackers have ensured that even if one door is slammed shut, two more remain open. This “triple-threat” setup makes the virus incredibly robust, allowing it to continue operating and stealing data even while security teams are actively trying to hunt it down.

Thousands of Developers Already Exposed

The scale of the infection is growing by the day. Records show that by mid-October 2025, at least seven extensions on the OpenVSX marketplace were hijacked. These tools had already been downloaded over 35,000 times before anyone realized something was wrong. Even more concerning is that the infection has jumped over to Microsoft’s official VS Code marketplace. This means the virus is no longer confined to smaller, alternative stores; it is now living in the main hub used by millions of programmers worldwide.

Once the virus gets inside a computer, it goes on a massive spending spree—with the victim’s data. It immediately starts hunting for passwords and login keys for GitHub and NPM, which are the primary platforms where software is built and shared. It also scans the machine for nearly 50 different types of cryptocurrency wallets. Perhaps worst of all, it turns the infected computer into a “zombie” machine. By installing hidden remote-access tools, the hackers can see the victim’s screen and use the computer to launch further attacks on other people, making the victim look like the criminal.

How to Protect Your Work and Your Data

• Clean Out Your Extension Library: Open your editor and look at every single plugin. If you haven’t used it in the last month, delete it. Every unnecessary extension is a “door” that hackers can use to enter your house.

• Investigate Your Network Traffic: Use a tool to see where your computer is sending data. If you see connections to the IP address 217.69.3.218 or 140.82.52.31, your computer is likely talking to the hackers.

• Kill the “Auto-Update” Feature: Turn off automatic updates for your plugins. It is much safer to update them manually once you’ve confirmed the new version hasn’t been hijacked by the GlassWorm virus.

• Check the “Startup” Registry: On Windows, the virus hides in your startup settings so it can turn itself back on every time you boot up. Look for strange entries in these two specific locations:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• Verify the Source: Before installing anything new, check the “Publisher Reputation.” If the person who made the extension has no history or the reviews look fake/generated, do not install it.

• Set Up an “Allowlist”: If you run a team, don’t let people install whatever they want. Create a pre-approved list of extensions that have been vetted for safety.

---

Technical Indicators of Infection

If you find any of these links or addresses in your system logs, you have a problem. These are the specific tools the GlassWorm attackers are using to control infected machines:

Main Control Centers (C2)

• Primary Server: 217.69.3.218

• Data Theft Endpoint: 140.82.52.31:80/wall

• Google Calendar Backup: https://calendar.app.google/M2ZCvM8ULL56PD1d6

• Associated Email: [email protected]

Malware Download Links (Payloads)

• http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D

• http://217.69.3.218/get_arhive_npm/

• http://217.69.3.218/get_zombi_payload/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D

Blockchain Tracking

• Solana Wallet ID: 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2

• Specific Transaction ID: 49CDiVWZpuSW1b2HpzweMgePNg15dckgmqrrmpihYXJMYRsZvumVtFsDim1keESPCrKcW2CzYjN3nSQDGG14KKFM