The Glassworm malware campaign has resurfaced for a third time, adding 24 new malicious packages to the OpenVSX and Microsoft Visual Studio marketplaces. First identified in October by Koi Security, Glassworm employs "invisible Unicode characters" to conceal its malicious code. Once installed, it targets GitHub, npm, and OpenVSX accounts, and can also extract cryptocurrency wallet data from 49 different extensions. The malware sets up a SOCKS proxy for malicious traffic and installs a client for remote access, making it particularly dangerous for developers. Despite efforts to remove the initial infections, Glassworm quickly reappeared with new extensions and publisher accounts. Researcher John Tuckner from Secure Annex highlighted that the package names suggest a wide targeting scope, aiming at popular development tools and frameworks such as Flutter, Vim, and React Native. The malicious packages include names like `iconkieftwo.icon-theme-materiall` and `vims-vsce.vscode-vim` from the Microsoft marketplace and `bphpburn.icons-vscode` from OpenVSX. Once the packages are live, the publishers push updates to introduce the malware and artificially inflate download counts to appear legitimate. This manipulation can skew search results, placing malicious extensions alongside genuine projects. The malware has evolved technically, incorporating Rust-based implants while still using some of its original obfuscation methods. Both OpenVSX and Microsoft have acknowledged the issue, with Microsoft promising ongoing improvements to their scanning processes and OpenVSX committing to stronger pre-publishing safeguards.