Issue #183  (Beware of GlassWorm (VS Code Extension Malware))10/22/25

Advertisement
Unlock up to 90% off Flights with Just $1 Today
Ready to travel for less? For the next 12 hours, you can try Dollar Flight Club for only $1 and save up to 90% on flights to top destinations around the world. Just sit back and relax, and we’ll send you the best flight deals from your home airport(s).
 
Dollar Flight Club
Check out some of our latest deals:
  • New York from $68 roundtrip
  • Puerto Rico from $156 roundtrip
  • Hawaii from $171 roundtrip
  • Paris from $291 roundtrip
  • and more!
Take advantage of these amazing deals and save up to $2,000 on your next flight. Try Dollar Flight Club for only $1 today – cancel anytime.
 

The feature article in this week's articles below is on malware that's apparently still active in the VS Code extension community as of this writing. You can check out that link below but here are a few other reports on the subject as well: The last link, from Koi Security, has a fairly detailed description of what their team found in this exploit.

GlassWorm breakdown from Koi Security

The above screenshot, from Koi's article, shows what they describe as 'the unkillable C2-Solana blockchain'. As they explain:

"The attacker is using a public blockchain – immutable, decentralized, impossible to take down – as their C2 server."

They go on to explain how the malware is then 'hunting for credentials' from npm, GitHub, and so on, as they demonstrate in another screenshot.

GlassWorm Malware stealing credentials

There's lots more in the article if you want the full breakdown. If you want to know which extensions are infected, here is a Hacker News comment that lists them.

Hopefully this exploit gets neutralized, but be sure to check out the links I've included above and the one in articles section below, to make sure you haven't been compromised.

Now on to this week's hand-picked links!

VS Code Tools
Daily Install Trends of AI Coding Tools β€” A dashboard showing the 30-day moving average of daily install counts in VS Code of the major AI coding tool extensions. Data is from the install counts from the Marketplace, charting daily installs.

Inline Live Server β€” A professional live development server with integrated webview preview, multi-server management, and instant reload capabilities for modern web development in VS Code.

Spend $1, Save 90% on Flights β€” Fly round-trip to Paris from $293 and other dream destinations for up to 90% off when you try Dollar Flight Club for just $1. Sponsor

spotilyrics β€” A VS Code extension that lets you see synchronized Spotify lyrics inside VS Code while coding, synced to your Spotify playback.


VS Code Theme of the Week
GameMaker Studio 2 Theme β€” A theme inspired by a 2D game development platform that also includes partially ported keybindings and snippets from GameMaker.

GameMaker Studio 2 Theme for VS Code

The colors are bright with good contrast and although the theme is designed for those working with GameMaker and one of its toolkits, you might enjoy the syntax highlighting enough to use it regardless of if you use the platform.

VS Code Articles & Videos
Self-spreading GlassWorm Malware hits OpenVSX, VS Code Registries β€” A supply chain attack that uses a worm with stealth techniques to harvests npm, GitHub, and Git credentials, and drains cryptocurrency wallets, among other things. Still seems to be active in OpenVSX and the VS Code Marketplace, so beware.

I Made a VS Code Extension That Got 4.5K+ Downloads β€” The developer discusses a simple VS Code extension that sorts and compares JSON files, which I featured in this newsletter a short time ago.

The Morning Paper for Tech β€” Want a byte-sized version of Hacker News that takes just a few minutes to read? Try TLDR's free daily newsletter. It covers the most interesting tech, startup, and programming stories in just 5 minutes. No sports and no politics. Sponsor

GitHub Copilot Gets Smarter at Finding Your Code: Inside Our New Embedding Model β€” Learn about a new Copilot embedding model that makes code search in VS Code faster, lighter on memory, and far more accurate.

Best of the Rest
Hopp β€” An open source pair programming app built for developers that has the responsiveness of local development with the freedom of remote collaboration.

Cosine CLI β€” A local command-line interface that brings Cosine, the autonomous AI engineer, directly into your development environment.

Tools for Front-end & Full-stack Developers β€” My largest newsletter, sent every Thursday, featuring the latest tools for JavaScript, CSS, React, Vue, SVG, AI, and more. Join 13,000+ subscribers for the latest tools and apps. Sponsor

Agent Client Protocol β€” A protocol that attempts to standardize communication between code editors (IDEs, text-editors, etc.) and coding agents (programs that use generative AI to autonomously modify code).

Suggestions?
If you have any link suggestions, including a tool, article, or other resource related to VS Code or another IDE, you can hit reply, send it via DM on X, or via chat on Bluesky.

That's it for this issue.

Happy VS Coding!
Louis
VSCode.Email
@LouisLazaris
Copyright © VSCode.Email. All rights reserved.

Not affiliated with Microsoft, Visual Studio Code, or any of its trademarks.