Back to News
Cyber Attack

GlassWorm Abuses 72 Open VSX Extensions to Target Developers

CyberSecurityWaala 2 weeks ago Mar 14, 2026
GlassWorm Abuses 72 Open VSX Extensions to Target Developers

Security firms have uncovered a renewed GlassWorm supply-chain campaign that is using the Open VSX registry to reach developers by abusing extension relationships in VS Code extensions. Socket said it found at least 72 malicious Open VSX extensions since January 31, 2026, and warned the campaign represents a “significant escalation” in how the malware propagates.

Instead of placing a loader directly in every malicious package, the attackers are now adding references in an extension’s package.json using “extensionPack” and “extensionDependencies” fields. Socket explained that this lets an initially benign-looking extension later pull in a separate GlassWorm-linked extension once users have already trusted and installed it. “As a result, an extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose,” Socket said.

Socket reported that many of the newly identified extensions impersonate common developer tools such as linters, formatters, code runners, and integrations for AI coding assistants. Open VSX has removed several of the flagged extensions after the discovery. Some of the names identified by researchers include angular-studio.ng-angular-extension, crotoapp.vscode-xml-extension, gvotcha.claude-code-extension, mswincx.antigravity-cockpit, tamokill12.foundry-pdf-extension, turbobase.sql-turbo-tool, and vce-brendan-studio-eich.js-debuger-vscode.

GlassWorm is a long-running campaign that previously targeted Microsoft Visual Studio Marketplace and Open VSX with malicious extensions that steal secrets, drain cryptocurrency wallets, and turn infected machines into proxies for other criminal operations. Koi Security first flagged the activity in October 2025, while related tactics such as using invisible Unicode characters to hide malicious code had been noted as early as March 2025.

Researchers at Aikido reported a related mass injection campaign across open-source repositories, where attackers embedded invisible Unicode characters to encode a loader. Aikido estimated 151 GitHub repositories were affected between March 3 and March 9, 2026. The invisible characters are not visible in code editors but decode to a loader that fetches and executes a second-stage script to steal tokens and credentials.

Security researcher Ilyas Makari described the commits carrying the injections as carefully tailored cover changes. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project,” Makari said. He added that the project-specific tailoring suggests attackers may be using large language models to generate convincing cover commits.

Separately, Endor Labs reported finding 88 malicious npm packages uploaded in three waves between November 2025 and February 2026 using disposable accounts. Those packages included data-harvesting functionality and used Remote Dynamic Dependencies, where package.json points to code hosted at a custom URL so operators can change payloads without republishing. Endor Labs warned, “When packages rely on code hosted outside the npm registry, authors retain full control over the payload without publishing a new package version. By modifying a single file on the server, they can silently change or disable the behavior of every dependent package at once.”

Endor Labs also noted that the publisher later replaced the data-harvesting payload in some packages with a simple message, but said the change highlights the risks of URL-based dependencies. The company questioned whether at least some of the npm activity represented malicious intent rather than benign research, citing rotated account names and broad data collection as red flags.

For developers and organizations, the takeaway from these reports is to treat extension dependencies and external URL dependencies as high-risk. Socket and other firms recommend auditing installed extensions, limiting extensions to trusted sources, and reviewing package.json metadata for unexpected dependencies or remote URLs.

For guidance on software supply-chain protections such as Software Bill of Materials, see what is SBOM (Software Bill of Materials).

If an incident occurs, follow a structured response; see this how to respond to a cybersecurity incident guide for actionable steps.

#supplychain #cybersecurity #devsecops #malware

#Data Exfiltration #Malware #Supply Chain Attack