A trio of coordinated campaigns a JetBrains fake AI assistant campaign, the GlassWorm self‑propagating worm, and the compromised Nx Console Visual Studio Code extension made clear that IDE plugin ecosystems are now a primary attack surface for AI credential theft.
Attackers have shifted from opportunistic phishing to targeted supply‑chain techniques that exploit the broad privileges and implicit trust granted to IDE extensions, and GlassWorm represents the most technically novel example observed during this period.
GlassWorm first surfaced in October 2025 and spread through malicious extensions on the VS Code Marketplace and the OpenVSX Registry, later propagating via poisoned npm packages, Python repos, and infected GitHub pushes. At scale it compromised tens of thousands of developer installations.
Its most striking evasion technique was use of invisible Unicode characters variation selectors and Private Use Area codepoints to hide malicious logic inside otherwise benign source files.
These characters render as empty space in typical editors and diff views, allowing exfiltration routines to pass casual and automated review that relies on visual inspection.
Equally notable was GlassWorm’s resilient, decentralized command‑and‑control architecture.
Operators encoded C2 information across multiple public and distributed channels: Solana transaction memo fields carried encoded C2 addresses in an immutable ledger, BitTorrent DHT entries stored configuration blobs indexed by hardcoded public keys.
Google Calendar event titles acted as dead‑drops for Base64‑encoded paths, and conventional commercial VPS hosts served as traditional fallback servers.
This multi‑channel approach markedly increased takedown complexity and hampered detection that focuses only on blocking known attacker domains.
GlassWorm Uses Blockchain-Based C2
According to Cloud Security, GlassWorm harvested a wide credential surface: GitHub tokens, npm and OpenVSX tokens, cloud credentials, password manager exports, and AI API keys used to power coding assistants.
It used stolen GitHub credentials to force‑push malicious commits into repositories under the victim’s control, creating an automated propagation vector: any developer who cloned or pulled those repos risked secondary infection.
Later variants added a WebSocket RAT that captured screenshots, keystrokes, clipboard contents, and installed a browser extension for persistent credential collection.
GlassWorm sits alongside two companion campaigns that underscore structural weaknesses in the IDE ecosystem. The JetBrains fake AI assistant campaign placed at least 15 malicious plugins on the JetBrains Marketplace from October 2025 onward; those plugins requested API keys for LLM providers (OpenAI, Anthropic, DeepSeek, SiliconFlow) and exfiltrated them to plaintext C2 endpoints while offering genuine functionality.
The Nx Console compromise demonstrated how quickly a single malicious release can yield high impact: a malicious nrwl.angular-console version published in May 2026 executed an obfuscated payload hosted as an orphan commit in a trusted GitHub repository and contributed to the exfiltration of thousands of internal GitHub repositories.
These incidents exploit two converging factors: first, modern IDEs routinely store high‑value secrets AI API keys, cloud credentials, registry tokens, and VCS tokens concentrating sensitive assets inside a plugin‑extensible application.
Second, marketplace review and supply‑chain integrity controls (SBOMs, SLSA provenance, dependency pinning) have not been systematically extended to IDE plugins, creating a governance gap attackers readily exploit.
AI API keys are particularly lucrative because attackers can consume costly inference at victims’ expense, exfiltrate query content, and resell valid credentials.
Immediate mitigations are urgent. Organizations should inventory and whitelist IDE plugins, rotate all AI API keys and vault them behind secret managers, and apply least‑privilege scopes and rate limits to development credentials.
Monitor LLM usage logs for anomalous spikes, enable provider alerts for unexpected consumption, and require cryptographic provenance for plugins where possible.
Marketplace operators must augment automated static analysis with semantic detection for non‑printing character obfuscation and expand supply‑chain provenance practices to extension ecosystems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
