- Russian-speaking cybercriminals used VS Code extensions to steal crypto and GitHub credentials.
- The GlassWorm campaign affected 49 crypto wallet extensions.
- Rapid response mitigated immediate threats to users.
Three malicious VS Code extensions were discovered by Koi Security in October 2025, targeting credentials for GitHub, VSX, and draining funds from crypto wallet extensions, attributed to Russian-speaking threat actors.
The incident highlights vulnerabilities in the developer ecosystem, posing significant risks to crypto holdings and reinforcing concerns over supply-chain security.
Malicious Visual Studio Code (VS Code) extensions were recently uncovered stealing credentials from GitHub, Open VSX, and funds from multiple crypto wallets. These extensions, identified as part of the GlassWorm malware campaign, assaulted users by draining cryptocurrency holdings.
The threat originated from Russian-speaking, financially motivated actors. Their attack, using three extensions, is notable for leveraging advanced supply-chain techniques. Koi Security initially identified the breach, demonstrating the actors’ expertise in targeting the developer ecosystem.
Immediate Protective Actions
Immediate takedown of these extensions mitigated harm but underscored significant supply-chain vulnerabilities. The threat to Ethereum, Bitcoin, and other crypto assets was pronounced, affecting developer confidence and cryptocurrency security.
Response and Future Measures
Koi Security’s findings raised concerns about increased risk from sophisticated malware. To counteract, tech companies are enhancing monitoring and extension validation. Blockchain infrastructure like Solana was used for the command and control (C2), underscoring the technological complexity of the attack.
“We have identified and removed all malicious extensions, and rotated or revoked associated tokens as of October 21, 2025.” — Open VSX Registry Team source
No regulatory responses have been documented. However, heightened vigilance in developer security practices is anticipated. The incident signals the necessity for robust defenses against supply-chain threats within the digital economy.
