Lightnews — Scholar-powered news

Gadi Evron

Gadi Evron

@gadievron.bsky.social

130 followers 110 following 820 posts

CEO & Co-Founder at Knostic, CISO-in-Residence for AI at Cloud Security Alliance. Former Founder @Cymmetria (acquired). Host at Prompt||GTFO. Threat hunter, scifi geek, dance teacher. Opinions my own.

Posts Media Videos Starter Packs

Gadi Evron @gadievron.bsky.social · 5h

Internet memes are fun (fakes), especially when the situation is not. AWS outage shenanigans.

Gadi Evron @gadievron.bsky.social · 16h

Circa 2015. Thank you for Participating in security. Still true.

Gadi Evron @gadievron.bsky.social · 1d

Send me a message and I’ll be happy to show you how we stop these attacks cold, defending developers and AI coding agents.

You can also check us out here:
www.knostic.ai/ai-coding-se...

Wiz’s research blog: www.wiz.io/blog/supply-...

Securing AI Coding Assistants | Kirin

Protect AI coding workflows with Kirin. Real-time firewall, governance, and data protection for secure development.

Gadi Evron @gadievron.bsky.social · 1d

Our software supply chain now includes extensions, MCP servers, and random rules or prompts.
When a publisher token leaks, attackers can silently push malware through an update. Dev boxes get compromised, pipelines get poisoned, production feels it.

Gadi Evron @gadievron.bsky.social · 1d

Microsoft enabled blocking secret scanning on September 22, 2025 to stop new extensions with live secrets.
Open VSX added token prefixing (ovsxp_) to improve detection.

Gadi Evron @gadievron.bsky.social · 1d

Wiz identified 550+ embedded secrets, exposing 67 secret types, AI API keys (OpenAI, Anthropic, Gemini), cloud credentials (AWS, GCP, Azure), and database tokens.
Attackers could use 100+ publisher tokens in the Microsoft Marketplace and 30+ in Open VSX to push malicious updates.

Gadi Evron @gadievron.bsky.social · 1d

An evolving attack surface
Our developers and AI coding agents now form an actively exploited attack surface. They stretch the CI/CD boundary and open direct paths into the network, which makes cyber defense harder.

Gadi Evron @gadievron.bsky.social · 1d

Just the other day, we talked about this same issue when the GlassWorm self-propagating malware exploited VS Code extensions, first reported by Koi.

Gadi Evron @gadievron.bsky.social · 1d

Another day, another blow to dev security. Wiz uncovered hundreds of VS Code extensions containing their own update credentials, ready to be used to exploit users, a snapshot of how fragile our developer infrastructure has become.

A thread.

Gadi Evron @gadievron.bsky.social · 1d

By abusing compromised developer accounts, the malware uses a simple but effective technique that turns the IDE into a Trojan horse controlled by the attacker.

Knostic protects your developers and AI coding agents against attacks like this. To learn more, visit www.knostic.ai/ai-coding-se...

Securing AI Coding Assistants | Kirin

Protect AI coding workflows with Kirin. Real-time firewall, governance, and data protection for secure development.

Gadi Evron @gadievron.bsky.social · 1d

The user is alerted instantly and advised to remove it, stopping the threat before it spreads.

GlassWorm, a new malware campaign discovered by Koi Security, spreads through the OpenVSX registry, which feeds both standard VS Code IDEs and AI coding assistants such as Cursor and Windsurf.

Gadi Evron @gadievron.bsky.social · 1d

Developers targeted again — this time the malware spreads itself. See how we catch.

Knostic catches the GlassWorm VS Code malware the instant it lands. In the video below, see how Knostic detects a malicious VS Code extension, in this case GlassWorm, the moment it’s installed.

Gadi Evron @gadievron.bsky.social · 1d

And, if you like, message me and I’ll show you a demo of what we do at Knostic to protect your developers, and AI coding agents, against attacks such as these

Gadi Evron @gadievron.bsky.social · 1d

Agentic tools made us faster but expanded our perimeter to the developer’s machine in the process.
Treat these as untrusted, fully privileged components in your environment

Gadi Evron @gadievron.bsky.social · 1d

It hides loader code with invisible Unicode and PUA characters, an old trick that still works surprisingly well in attacks against coding agents

Gadi Evron @gadievron.bsky.social · 1d

The payload updates through Solana blockchain transactions, and the calendar. It’s clever, but not original

Gadi Evron @gadievron.bsky.social · 1d

The malware opens outbound connections, scans for crypto wallets (about 49 formats), and searches for developer credentials (including npm tokens and extension publisher credentials) that could later be used to update npm or extension packages

Gadi Evron @gadievron.bsky.social · 1d

Malware behavior:
It demonstrates self-propagation through compromised developer accounts — a first observed at this scale in IDE ecosystems

Gadi Evron @gadievron.bsky.social · 1d

The GlassWorm campaign propagates through the OpenVSX registry, which also feeds IDEs and coding assistants such as Cursor and Windsurf

Gadi Evron @gadievron.bsky.social · 1d

Coding agents aren’t just productivity tools anymore. Actively exploited, they expanded the CI/CD security boundary to the IDE, and challenge cyber defense as a new gateway to the network

Gadi Evron @gadievron.bsky.social · 1d

This attack stands out, though. It’s one of the first self-propagating malware campaigns to target the developer supply chain through IDE extensions

Gadi Evron @gadievron.bsky.social · 1d

What makes this campaign different:
At Knostic, we defend AI coding agents and developers and track active threats, from IDE vulnerabilities to malicious MCP servers and extensions

Gadi Evron @gadievron.bsky.social · 1d

Developers are yet again actively targeted via VS Code extensions, affecting Cursor, Windsurf, etc.

Koi has released research on malware they call GlassWorm. It is noisy, basic, and still works

Gadi Evron @gadievron.bsky.social · 5d

Follow for a DM?

Gadi Evron @gadievron.bsky.social · 5d

This is amazing. Would you mind coming to speak on this on Prompt||GTFO?