Crypto

Malicious VS Code Extensions Removed After Credential Theft Discovery

Thiago Alvarez
Thiago Alvarez
Malicious VS Code Extensions Removed After Credential Theft Discovery
Malicious VS Code Extensions Removed After Credential Theft Discovery
Key Points:
  • Russian-speaking cybercriminals used VS Code extensions to steal crypto and GitHub credentials.
  • The GlassWorm campaign affected 49 crypto wallet extensions.
  • Rapid response mitigated immediate threats to users.

Three malicious VS Code extensions were discovered by Koi Security in October 2025, targeting credentials for GitHub, VSX, and draining funds from crypto wallet extensions, attributed to Russian-speaking threat actors.

Contents
Immediate Protective ActionsResponse and Future Measures

The incident highlights vulnerabilities in the developer ecosystem, posing significant risks to crypto holdings and reinforcing concerns over supply-chain security.

Malicious Visual Studio Code (VS Code) extensions were recently uncovered stealing credentials from GitHub, Open VSX, and funds from multiple crypto wallets. These extensions, identified as part of the GlassWorm malware campaign, assaulted users by draining cryptocurrency holdings.

The threat originated from Russian-speaking, financially motivated actors. Their attack, using three extensions, is notable for leveraging advanced supply-chain techniques. Koi Security initially identified the breach, demonstrating the actors’ expertise in targeting the developer ecosystem.

Immediate Protective Actions

Immediate takedown of these extensions mitigated harm but underscored significant supply-chain vulnerabilities. The threat to Ethereum, Bitcoin, and other crypto assets was pronounced, affecting developer confidence and cryptocurrency security.

Response and Future Measures

Koi Security’s findings raised concerns about increased risk from sophisticated malware. To counteract, tech companies are enhancing monitoring and extension validation. Blockchain infrastructure like Solana was used for the command and control (C2), underscoring the technological complexity of the attack.

“We have identified and removed all malicious extensions, and rotated or revoked associated tokens as of October 21, 2025.” — Open VSX Registry Team source

No regulatory responses have been documented. However, heightened vigilance in developer security practices is anticipated. The incident signals the necessity for robust defenses against supply-chain threats within the digital economy.

Rising Interest in Cryptocurrency Gifting
Unstaked, ONDO, Aptos, and HYPE Gaining Traction in 2025
Bitcoin Development Fund Supports 20 Global Projects
BlackRock’s Bitcoin Investment Strategy
Bitcoin Dominance Remains Stable Amid Uncertain Market Conditions
Share This Article
ByThiago Alvarez
Thiago Alvarez is a crypto and fintech analyst at Coinwy, covering blockchain payments, DeFi protocols, and digital asset regulation. With a background in financial technology and compliance analysis, Thiago focuses on evaluating the operational viability and regulatory positioning of emerging crypto projects. His work examines token economics, cross-border payment infrastructure, and institutional adoption trends across global markets.
Previous Article Binance Adds MINA/USDC and XVG/USDC Trading Pairs Binance Adds MINA/USDC and XVG/USDC Trading Pairs
Next Article Monad Reveals Tokenomics and Airdrop Plans Monad Reveals Tokenomics and Airdrop Plans

Follow US

Find US on Socials
Popular News