Cybersecurity Today: New Threats from AI and Code Extensions
Host: Jim Love
Date: October 24, 2025
Episode Overview
This episode of Cybersecurity Today dives into the rapidly evolving threat landscape, with a particular focus on how AI-powered attacks and supply chain compromises via code extensions are outpacing traditional defenses. Jim Love breaks down striking new threats — including the self-propagating "Glass Worm" malware in Visual Studio Code extensions, widespread vulnerabilities in AI-powered IDEs, and the rising fear of AI-driven attacks as captured in the latest ISACA survey. The conversation is rich with actionable advice and sobering analysis for cybersecurity professionals and organizations wanting to safeguard their operations in 2026.
Key Discussion Points and Insights
1. Glass Worm: A Sophisticated Supply Chain Attack
[01:30 – 06:20]
-
Discovery and Spread:
- Glass Worm, a self-spreading malware, was hidden in Visual Studio Code (VS Code) extensions.
- Over 35,000 downloads before detection.
- Discovered by researchers at Koi Security; found in seven extensions on Open VSX Marketplace and at least one in Microsoft's own VS Code Marketplace.
- Quote [02:11]:
"What makes Glassworm so dangerous is how well it hides — the malicious JavaScript is written using invisible Unicode characters, variation selectors that show up as blank space in the editor. To a developer it looks like empty lines, to scanners it looks like nothing, but to AI, it’s executable code."
— Jim Love
- Glass Worm, a self-spreading malware, was hidden in Visual Studio Code (VS Code) extensions.
-
Capabilities and Impacts:
- Steals developer credentials (GitHub, Git, NPM).
- Drains funds from crypto wallets.
- Converts compromised machines into proxy servers.
- Installs covert remote access tools.
- Employs Solana blockchain and Google Calendar for command and control, making takedowns difficult.
-
Immediate Response Recommendations:
- Security teams using VS Code should:
- Treat the situation as an active incident.
- Inventory and review all installed extensions against the list posted by Koi Security.
- Disable automatic updates and scrutinize every extension.
- Restrict access to untrusted extension marketplaces and whitelist only approved extensions.
- Security teams using VS Code should:
-
Memorable Moment [05:00]:
"For the moment, the safest move is to block untrusted marketplaces and allow list only approved extensions until the threat is fully contained."
— Jim Love
2. Vulnerabilities in AI-Powered IDEs: Cursor and Windsurf
[06:21 – 09:35]
-
Critical Risks Identified:
- Newly-released AI-powered IDEs, Cursor and Windsurf, are based on outdated Chromium and Google V8 engines.
- More than 94 security flaws, including critical ones, affect the embedded browsers.
- Over 1.8 million developers potentially at risk.
-
Exploitation Example:
- The integer overflow flaw, CVE-2025-7656, could crash the editor and potentially allow remote code execution via a malicious link.
-
Vendor Responses (or Lack Thereof):
- Cursor labeled the exploited vulnerability “out of scope."
- Windsurf did not respond at all.
-
Quote [08:22]:
"Electron-based apps like these package a fixed Chromium build. Unless developers regularly update that embedded browser, they inherit every browser vulnerability that's been fixed since their last release. In this case, that means 94 of them, some of them critical."
— Jim Love -
Recommendations:
- Organizations using these IDEs should:
- Prioritize this as an incident-level concern.
- Pressure vendors for patched, up-to-date builds.
- Consider alternative tools if vendors dismiss or ignore these issues.
- Organizations using these IDEs should:
3. AI-Driven Attacks Become Top Security Fear for 2026
[09:36 – 13:05]
-
ISACA 2026 Tech Trends and Priority Pulse Poll:
- AI-driven threats have overtaken ransomware and insider breaches as top concerns.
- Statistics:
- 59% cite AI and deepfakes as their primary worry.
- 63% highlight AI-driven social engineering (cloned voices, fake videos, automated spear-phishing).
-
Current Level of Preparedness:
- Only 13% of organizations feel “very prepared.”
- Nearly one-third admit they’re not ready at all.
-
Quote [11:23]:
"Attackers are already using AI to craft convincing messages, mimic executives, and scale deception in ways human criminals never could. Only 13% of respondents said their organizations are very prepared to handle these risks."
— Jim Love -
Pace of Change:
- 41% of professionals report that just keeping up with AI's pace is their biggest challenge.
- There is a growing mismatch between the speed of AI adoption and the ability of security teams to build effective defences.
-
Quote [12:16]:
"The technology that’s transforming our business is now transforming the threat landscape faster than most organizations can respond."
— Jim Love
Notable Quotes & Memorable Moments
-
On New Forms of Malware Stealth:
"...to scanners it looks like nothing, but to AI, it’s executable code." [02:20]
-
On Supply Chain Security Recommendations:
"...the safest move is to block untrusted marketplaces and allow list only approved extensions until the threat is fully contained." [05:00]
-
On the Failure to Patch IDE Security Flaws:
"If you hear that that's out of scope or you don't get an answer, maybe it’s time to go looking for a new tool set." [09:10]
-
On the Strain Facing Security Professionals:
"The speed of AI adoption is outpacing the defenses meant to contain it, and the strain is starting to show..." [11:55]
Timestamps for Important Segments
- [01:30] Unveiling of Glass Worm in VS Code extensions
- [03:00] Glass Worm’s capabilities & command and control mechanisms
- [04:45] Guidance for organizations to assess and secure code extensions
- [06:21] Widespread vulnerabilities in AI-based IDEs exposed
- [07:50] Vendor responses and the inherent risks of Electron-based applications
- [09:36] ISACA survey: AI-driven threats lead 2026 concerns
- [11:20] Organizational preparedness and gaps in defensive capability
Summary Takeaways
-
Enterprise Supply Chain Risk:
The Glass Worm attack marks a new height in supply chain sophistication. Security teams must respond immediately, with inventories, vetting, and restricted extension policies. -
AI-Powered Toolchain Dangers:
Popular AI-based development tools are shipping with dozens of known vulnerabilities, with vendors slow or unwilling to patch—an urgent red flag for any security-conscious tech org. -
AI as a Hacker's Superpower:
Survey data highlights the mounting fear and unpreparedness around AI-driven social engineering and deepfake attacks. The profession is facing a race to adapt defensive tactics as AI’s impact accelerates.
For further resources or to share tips, reach Jim Love via the Contact Us form at technewsday.com or .ca.
This summary captures the actionable insights and urgency in Jim Love’s coverage of AI-powered, supply chain, and social engineering threats—an essential listen for anyone grappling with the new realities of cybersecurity in 2026.
