Risky Bulletin: Clever Worm Hits the VS Code Scene

Podcast: Risky Bulletin
Host: risky.biz
Date: October 21, 2025
Episode Theme:
The episode features fast-paced updates on significant recent cybersecurity incidents worldwide, with the headline focus on a new worm targeting Visual Studio Code (VS Code) users. Highlights include breaches affecting major tech and telecom companies, policy shifts in Russia, data leaks, ransomware and SIM swapping incidents, and new merit badges for the Boy Scouts in AI and cybersecurity.

Main Theme

A sophisticated new malware campaign, dubbed "Glass Worm," is actively targeting developers by spreading through VS Code extensions. The episode uncovers its mechanisms, intent, and potential impact, while also running down a wide array of notable breaches, attacks, and developments in the cybersecurity landscape.

Episode Highlights & Key Discussion Points

1. Malicious VS Code Worm Targets Developers

• [00:19] The episode’s top story details a worm infecting VS Code users via extensions on both official and open VSX marketplaces.
  • Purpose: The "Glass Worm" is primarily designed to steal funds and supports credential theft from 49 cryptocurrency wallet apps.
  • Credential Harvesting: It also collects credentials for GitHub, NPM, and OpenVSX.
  • Propagation: Uses stolen credentials to inject itself into other extensions and libraries—elevating the supply chain risk.
  • Communication: Employs the blockchain for command and control (C2), with Google Calendar as a backup.
  • Evasion: Uses unprintable Unicode characters to make analysis harder.
  • Quote (Claire Airdrop, [00:22]):
    "The Glass Worm malware spreads using VS Code extensions... Its primary aim is to steal funds. It supports 49 different cryptocurrency wallet apps."

2. F5 Networks: Breach Timeline Unfolds

• [01:09] New details reveal that F5’s breach started in 2023, not 2024 as previously believed.
  • Attackers exploited vulnerabilities in F5’s own products.
  • After the breach, F5 discontinued support for its Big IP Next product.
  • Quote ([01:17]):
    "The breach was discovered in August this year, but Bloomberg says the US tech company was initially compromised in 2023."

3. Korea Telecom CEO Resigns After Security Incident

• [01:32] Korea Telecom’s CEO, Kim Yongsub, announces resignation.
  • Hackers stole circa $170,000 via the company’s micropayments platform.
  • The breach involved fake mobile towers used to steal customer info.
  • Quote ([01:43]):
    "Kim Yongsub told reporters he intends to take responsibility for the breach, which will include stepping down."

4. Surveillance Vendor Developer Targeted with Spyware

• [01:58] Former Trenchant (American surveillance vendor) developer Jay Gibson was hit with iOS mercenary spyware.
  • Received a warning from Apple regarding the targeted attack.
  • Gibson claims his dismissal was tied to a data leak he says he wasn’t responsible for.

5. Russia Considers Mandating Online Age Verification

• [02:22] The Russian government is mulling compulsory online age verification via official ID for certain website access.
  • Scope: Includes sites with adult content, violence, profanity, propaganda, or antisocial content.

6. Ongoing Data Leaks Target US Government and Israeli Scientists

• [02:46] Hackers continue to leak sensitive data related to top US government staff and Israeli military scientists.
  • New data dump includes staff from: NSA, Air Force, DIA, CDC, and more.
  • Hacking group Handala (with suspected ties to Iranian intelligence) doxxed Israeli officials and military scientists.
  • Quote ([03:13]):
    "The Handala hacking group accused the individuals of helping to build Israel's armed forces."

7. Japanese Supplier Ascool Hit with Ransomware

• [03:26] Ascool (Japanese office supply company) halts online orders after ransomware attack, affecting multiple small retailers.

8. Australian Telco Dodo Suffers SIM Swapping Attacks

• [03:43] Hackers accessed 1,600 customer email accounts via Dodo, triggering at least 34 SIM swap attacks.
  • Dodo responded by shutting down its email system.

9. $3.44 Million Stolen from Typus Finance (Defi Platform)

• [03:58] Hackers exploited a smart contract, draining millions in crypto.
  • Typus Finance filed a police report within two hours.

10. Smishing Campaign Leads to UK Prison Sentence

• [04:14] Kong Ji Chen sentenced to 24 weeks for using an SMS blaster to spam London Underground commuters.
  • Caught with the device concealed in a large green suitcase.
  • Quote ([04:20]):
    "Chen initially claimed he did not know what was in the suitcase... He later pleaded guilty."

11. Belarus: Cybercrime Service Operator Arrested

• [04:28] Belarusian police detain a 25-year-old running a platform that registered/traded bank accounts for laundering.
  • 1,700+ users, dozens more arrested in the operation.

12. Meta Suspends 8 Million Scam Accounts

• [04:46] Meta disables millions of scam-linked Facebook and Instagram accounts connected to Asian scam compounds, a fourfold increase from last year.
  • Quote ([04:51]):
    "The company has linked the accounts to scam compounds in Myanmar, Laos, Cambodia, the UAE and the Philippines."

13. Malicious Chrome Extensions Target WhatsApp Web

• [04:57] 131 extensions (21,000 installs) inject spam scripts into WhatsApp Web—primarily affecting Brazilian users.
  • Reported to Google but not yet removed.

14. Vulnerability in Better Auth Allows Key Abuse

• [05:09] A flaw in the Better Auth auth framework’s plugin let attackers mint privileged API keys via a single unauthenticated POST request.
  • Exploitability is high; affects systems relying on API key-based authentication.

15. Mercu Router Users Remain Vulnerable

• [05:20] Canadian router vendor Mercu has not patched multiple vulnerabilities disclosed a year ago.
  • Flaws can enable password resets and remote code execution.
  • Researchers also found the company’s support portal was compromised in 2024 but received no response.

16. Boy Scouts Launch AI and Cybersecurity Merit Badges

• [05:36] Scouting America introduces badges to encourage cyber hygiene.
  • Requirements: Spotting phishing, setting passwords, using firewalls, and passing new training courses.
  • Quote ([05:41]):
    "Boy Scouts can receive the cybersecurity badge by learning how to spot malware and phishing emails, setting strong passwords and using firewalls."

Notable Quotes

• “The Glass Worm malware spreads using VS Code extensions... Its primary aim is to steal funds.”
  — Claire Airdrop, [00:22]

• “Kim Yongsub told reporters he intends to take responsibility for the breach, which will include stepping down.”
  — [01:43]

• “The Handala hacking group accused the individuals of helping to build Israel's armed forces.”
  — [03:13]

• “Boy Scouts can receive the cybersecurity badge by learning how to spot malware and phishing emails, setting strong passwords and using firewalls.”
  — [05:41]

Timestamps of Important Segments

• [00:19] VS Code worm campaign uncovered
• [01:09] F5 breach timeline revealed
• [01:32] Korea Telecom CEO’s resignation
• [01:58] Developer targeted by mercenary spyware
• [02:22] Russian online age checks proposed
• [02:46] US and Israeli official data leaks
• [03:26] Ascool ransomware disruption
• [03:43] Dodo SIM swapping attacks
• [03:58] Typus Finance DeFi platform hack
• [04:14] UK commuter SMS spammer jailed
• [04:28] Belarus arrests for cybercrime accounts
• [04:46] Meta disables scam accounts
• [04:57] Malicious WhatsApp Chrome extensions
• [05:09] Better Auth plugin vulnerability
• [05:20] Mercu routers’ ongoing exposure
• [05:36] Boy Scouts’ new merit badges

Tone & Style

• Brisk, headline-driven, and factual, with vivid concise storytelling from Claire Airdrop.
• Attribution focuses on organizations and openly-named news sources; individual speakers mostly provide reporting.

Summary for Non-Listeners

This episode distills the week’s most critical cybersecurity news, headlined by a new worm propagating through developer tools, posing major risks to code supply chains and cryptocurrency assets. Major breaches (F5, Korea Telecom, Dodo), government policy plans (Russia, Meta), and creative cybercrime (from malware to SMS blasting) round out a comprehensive global security snapshot. The show also highlights positive moves—new youth-focused cybersecurity education through the Boy Scouts’ merit badge program.