Practical methods to identify, inspect, and defend against compromised IDE extensions that turn developer tools into an attack vector
GlassWorm shows how developer tools have become part of the attack surface. The same IDEs and coding assistants that boost productivity can also be used to deliver malware. Compromised extensions now run code on developer machines, steal credentials, and feed infections back into the supply chain. Here’s how to recognize and analyze them before they do damage.
Recognizing Malicious Behavior
Certain patterns appear repeatedly in malicious extensions. Dynamic code execution, such as calls to eval() that run remote data, is an immediate warning sign. Extensions with no clear purpose that only fetch, decode, and execute code should be treated as suspect.
Some campaigns hide their communication through the Solana blockchain, using it as a covert command channel. Others rely on obfuscation with meaningless variable names like etptqzkror or vldvs, heavy Base64 encoding, and string manipulation that conceals payloads. Several create and run new files such as run.js using Node’s child_process.exec.
When these signs appear together, you are likely not dealing with sloppy programming but with malware. Even a simple theme can conceal a loader that downloads a second-stage payload.
Examining a VSIX Extension
A .vsix file is just a ZIP archive. Rename it from .vsix to .zip, extract it, and open it. Inside you’ll find folders like src or dist, and files such as extension.js or extension.ts.
Start with package.json. It lists commands, permissions, and activation events. Unexpected triggers or remote network calls indicate trouble. Next, review the JavaScript files for encoded strings, URLs, or any process execution commands.
If you prefer a faster method, use a VSIX viewer extension in VS Code. It lets you open and inspect the contents directly.
Strengthening IDE Security
Your IDE should be treated as a critical system. Only install extensions from verified publishers. Review updates, especially when a long-inactive project suddenly releases a new version. Run untrusted code in isolated environments and monitor for unusual network activity.
Kirin by Knostic detects infected extensions at installation time. It alerts the user instantly and blocks the threat before it spreads through the environment.
Developer workstations and coding assistants now hold privileged access to code, tokens, and infrastructure. Understanding how to inspect and validate extensions is basic operational security.
To see how Knostic protects enterprises, developers, and AI coding agents from attacks like GlassWorm, visit https://www.getkirin.com/.
