Glassworm Extension Detection Tool

Cross-platform detection and removal tool for malicious VSCode extensions affected by the Glassworm supply chain attack (October 2025).

Available for:

• 🐧 Linux/macOS: Bash script (glassworm-detect.sh)
• 🪟 Windows: PowerShell script (glassworm-detect.ps1)

What is Glassworm?

Glassworm is a supply chain attack that compromised multiple VSCode extensions on both the OpenVSX and Microsoft VSCode marketplaces. The malicious versions of these extensions contained code that could:

• Execute arbitrary commands on the host system
• Steal sensitive data including credentials
• Establish persistent backdoors
• Exfiltrate source code and project files

Affected Extensions

This tool checks for the following malicious extensions and their compromised versions, according to https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace

OpenVSX Extensions

• codejoy.codejoy-vscode-extension @ 1.8.3, 1.8.4
• l-igh-t.vscode-theme-seti-folder @ 1.2.3
• kleinesfilmroellchen.serenity-dsl-syntaxhighlight @ 0.3.2
• JScearcy.rust-doc-viewer @ 4.2.1
• SIRILMP.dark-theme-sm @ 3.11.4
• CodeInKlingon.git-worktree-menu @ 1.0.9, 1.0.91
• ginfuru.better-nunjucks @ 0.3.2
• ellacrity.recoil @ 0.7.4
• grrrck.positron-plus-1-e @ 0.0.71
• jeronimoekerdt.color-picker-universal @ 2.8.91
• srcery-colors.srcery-colors @ 0.3.9
• sissel.shopify-liquid @ 4.0.1
• TretinV3.forts-api-extention @ 0.3.1

Microsoft VSCode Extensions

• cline-ai-main.cline-ai-agent @ 3.1.3

Requirements

For Linux/macOS (Bash Script)

• Bash 4.0+ (the script uses associative arrays)
• macOS/Linux operating system
• VSCode, VSCode Insiders, or VSCodium installed (optional - script will check all)

Checking Your Bash Version

bash --version

On macOS, the default /bin/bash is version 3.2. If you need to upgrade:

# Install via Homebrew
brew install bash

# Verify installation
/usr/local/bin/bash --version

The script uses #!/usr/bin/env bash to automatically use the newer version if available.

For Windows (PowerShell Script)

• PowerShell Core 7.0+ (recommended) or Windows PowerShell 5.1+
• Windows operating system
• VSCode, VSCode Insiders, or VSCodium installed (optional - script will check all)

Checking Your PowerShell Version

$PSVersionTable.PSVersion

Installing PowerShell Core (Recommended)

If you need to install or upgrade to PowerShell Core:

# Using winget (Windows 10/11)
winget install --id Microsoft.PowerShell --source winget

# Or download from: https://github.com/PowerShell/PowerShell/releases

Setting Execution Policy

If you encounter execution policy errors when running the script:

# Allow scripts from remote sources (recommended)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

# Or allow all scripts (less secure)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Usage

Linux/macOS (Bash)

1. Clone the repository:

   git clone https://github.com/unic/glassworm-detect
   cd glassworm-detect

2. Make the script executable (if not already):

   chmod +x glassworm-detect.sh

3. Run the script:

   ./glassworm-detect.sh

4. Follow the prompts - if infected extensions are found, you'll be asked whether to uninstall them.

Windows (PowerShell)

1. Clone the repository:

   git clone https://github.com/unic/glassworm-detect
   cd glassworm-detect

2. Run the script:

   .\glassworm-detect.ps1

   Or with PowerShell Core explicitly:

   pwsh .\glassworm-detect.ps1

3. Follow the prompts - if infected extensions are found, you'll be asked whether to uninstall them.

Note: If you get an execution policy error, see the Setting Execution Policy section above.

What the Script Does

The script will:

1. ✅ Scan all VSCode installations on your system:

   • Visual Studio Code (code)
   • Visual Studio Code Insiders (code-insiders)
   • VSCodium (codium)

2. 🔍 Check all installed extensions against the known malicious list

3. 📊 Report findings with color-coded output:

   • 🟢 Green = Clean/Safe
   • 🟡 Yellow = Warnings
   • 🔴 Red = Infected extensions found

4. 🗑️ Offer to uninstall any infected extensions (with confirmation)

5. 📝 Generate a log file with scan results (timestamped)

Exit Codes

Both scripts return meaningful exit codes for automation:

• 0 - Clean system, no infections found
• 1 - Infected extensions detected

This allows you to use them in scripts:

Bash:

if ./glassworm-detect.sh; then
  echo "System is clean"
else
  echo "Infections found - please review"
fi

PowerShell:

.\glassworm-detect.ps1
if ($LASTEXITCODE -eq 0) {
  Write-Host "System is clean"
} else {
  Write-Host "Infections found - please review"
}

How It Works

Detection Process

1. Discovery Phase

   • Checks for available VSCode installations using command -v
   • Stores found installations for reporting

2. Scanning Phase

   • For each VSCode installation, runs: code --list-extensions --show-versions
   • Parses the output to extract extension IDs and version numbers
   • Compares each installed extension against the malicious extensions database

3. Matching Phase

   • Checks both the extension ID (publisher.name) and specific version number
   • Only flags extensions that match BOTH the ID and a known malicious version
   • Safe versions of the same extension are not flagged

4. Reporting Phase

   • Displays all findings with clear visual indicators
   • Warns if multiple VSCode installations are present
   • Creates a timestamped log file for auditing

5. Remediation Phase (optional)

   • Prompts user for each infected extension
   • Executes code --uninstall-extension <id> for confirmed removals
   • Reports success/failure of each uninstall operation

Log Files

Each scan creates a log file named: glassworm-scan-YYYYMMDD-HHMMSS.log

The log contains:

• Scan timestamp
• User who ran the scan
• Computer name (PowerShell only)
• VSCode installations found
• List of infected extensions (if any)

Example Output

Clean System

========================================
   Glassworm Extension Detection Tool
========================================

Checking Visual Studio Code...
  ✓ No infected extensions found

Checking Visual Studio Code Insiders...
  ⚠ Visual Studio Code Insiders not found

Checking VSCodium...
  ⚠ VSCodium not found

========================================
              Summary
========================================

VSCode installations found: 1
✓ CLEAN: No infected extensions found!
  Your system appears to be safe from Glassworm.

Scan log saved to: glassworm-scan-20251023-143052.log

Infected System

========================================
   Glassworm Extension Detection Tool
========================================

Checking Visual Studio Code...
  ✗ INFECTED: cline-ai-main.cline-ai-agent@3.1.3

========================================
              Summary
========================================

VSCode installations found: 1
✗ INFECTED: Found 1 malicious extension(s)!

Infected extensions:
  • cline-ai-main.cline-ai-agent@3.1.3 (in Visual Studio Code)

========================================
        Uninstall Infected Extensions
========================================

Found: cline-ai-main.cline-ai-agent@3.1.3 in Visual Studio Code
Do you want to uninstall this extension? (y/n): y
Uninstalling cline-ai-main.cline-ai-agent@3.1.3 from Visual Studio Code...
✓ Successfully uninstalled cline-ai-main.cline-ai-agent

========================================
      Recommended Next Steps
========================================

1. Review your system for suspicious activity
2. Change passwords for sensitive accounts
3. Run a full system security scan
4. Monitor for unusual network activity
5. Check browser extensions and other applications

Scan log saved to: glassworm-scan-20251023-143127.log

Security Recommendations

If the script detects infected extensions, you should:

Immediate Actions

1. ✅ Uninstall all infected extensions (script offers to do this)
2. 🔐 Change passwords for:
   • GitHub/GitLab accounts
   • Cloud service providers (AWS, Azure, GCP)
   • Email accounts
   • Any credentials stored in your projects
3. 🔄 Rotate API keys and tokens
4. 🔍 Review recent activity in your repositories and cloud accounts

Follow-Up Actions

1. 🛡️ Run security scans:
   • Full system antivirus scan
   • Rootkit detection tools
   • Network traffic monitoring
2. 📊 Check logs for:
   • Unauthorized access attempts
   • Unusual file modifications
   • Suspicious network connections
3. 🔔 Enable 2FA on all critical accounts if not already enabled
4. 💾 Review backups - ensure they're not compromised
5. 👥 Inform your team if working in a shared environment

Limitations

• Version-specific detection: Only flags the exact malicious versions listed
• User scope only: Checks extensions for the current user only
• Installed versions only: Cannot detect extensions that were installed and removed
• System extensions: May not detect system-wide installed extensions
• Manual installation: Cannot detect manually installed extensions (not via marketplace)

Contributing

If you discover additional compromised extensions or versions, please update the malicious extensions list:

In Bash script (glassworm-detect.sh):

MALICIOUS_EXTENSIONS["publisher.extension-name"]="version1 version2"

In PowerShell script (glassworm-detect.ps1):

$MaliciousExtensions = @{
  "publisher.extension-name" = @("version1", "version2")
}

License

This script is provided as-is for security purposes. Feel free to use, modify, and distribute.

References

• Glassworm Attack Information
• VSCode Security Best Practices
• OpenVSX Registry

Disclaimer

This tool is provided for detection and remediation purposes only. While it checks for known malicious extensions, it cannot guarantee complete protection or detect all potential threats. Always follow security best practices and consult with security professionals if you suspect your system has been compromised.

---

Last Updated: October 23, 2025 Script Version: 1.0.0