GlassWorm's Evolving Playbook: Sleeper Extensions in OpenVSX
A new phase of the GlassWorm supply chain attack campaign has been identified, this time targeting the OpenVSX ecosystem with 73 specially crafted extensions that are designed to appear benign on upload before becoming malicious through a subsequent update. According to researchers at application security firm Socket, six of these extensions have already been activated and are actively delivering malware, while the remaining extensions are assessed with high confidence to be either dormant or at minimum suspicious.
The core tactic here is delayed weaponization: extensions are submitted clean, pass any initial review, and only reveal their true purpose after the attacker pushes a later update containing the malicious payload. As Socket's researchers put it, "This count may change as new updates continue to appear, but the pattern is consistent with earlier GlassWorm waves."
Background: An Ongoing and Expanding Threat
GlassWorm is not a new threat. It was first observed in October 2024, initially deploying invisible Unicode characters to conceal malicious code capable of stealing cryptocurrency wallets and developer credentials. Since then, the campaign has expanded considerably, spreading across multiple ecosystems including GitHub repositories, npm packages, the Visual Studio Code Marketplace, and OpenVSX. Attackers have also been observed distributing trojanized cryptocurrency wallet clients aimed specifically at macOS users.
A notably large wave hit in mid-March 2026, impacting hundreds of repositories and dozens of extensions. However, that operation's sheer scale made it noisy and traceable — multiple independent research teams detected the activity early and assisted in blocking it. The latest campaign suggests the threat actor has taken note and is deliberately shifting to a lower-profile, more surgical approach.
Cloning Legitimate Extensions to Deceive Developers
Socket's analysis reveals that all 73 extensions involved in this newest wave are clones of legitimate marketplace listings, engineered to fool developers who do not look far beyond surface-level visual cues. In at least one documented instance, the attacker replicated the exact same icon as the genuine extension and adopted nearly identical naming and description text.
While subtle differences do exist, the most reliable indicators of fraud are the publisher name and the unique extension identifier — details that casual users often overlook. This social engineering dimension is a central part of GlassWorm's effectiveness against developer communities.
Three Methods for Delivering the Payload
Rather than bundling malware directly into the extension package, the latest GlassWorm variants act as thin loaders that fetch payloads through one of three distinct mechanisms:
- VSIX retrieval from GitHub: The extension pulls a secondary VSIX package from a GitHub-hosted location at runtime and installs it using command-line interface commands.
- Platform-specific compiled modules: Extensions load
.nodefiles — compiled, platform-specific binaries — that contain the core malicious logic, including routines for fetching additional payloads and executing installation steps across supported editors. - Obfuscated JavaScript loaders: Some variants rely entirely on heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions, with certain versions including encrypted or fallback URLs for payload retrieval.
Socket has not disclosed full technical details about the specific payload being delivered in this newest wave. In prior GlassWorm campaigns, however, the malware has been designed to steal cryptocurrency wallet data, credentials, access tokens, SSH keys, and general developer environment data.
Scope, Detection, and Recommended Actions
The cybersecurity firm has published a complete list of all 73 extensions believed to be part of this latest GlassWorm operation. Developers who have installed any of the flagged extensions are strongly urged to take the following steps immediately:
- Rotate all secrets, API keys, and credentials that may have been accessible within the affected development environment.
- Audit installed extensions and remove any that appear on Socket's disclosed list.
- Inspect SSH keys and access tokens for signs of unauthorized use.
- Consider a full environment rebuild if any of the already-activated extensions were present on the system.
A Strategic Shift Worth Watching
The broader implication of this wave is the deliberate tactical refinement by GlassWorm's operators. Moving from large, detectable campaigns to a quieter sleeper-extension model reduces the attack surface visible to automated scanning and manual review teams. By distributing 73 seemingly inert packages across a single ecosystem and activating only a handful at a time, the threat actor can maintain persistence while limiting the signals that defenders typically rely on.
This approach also places a higher burden on marketplace maintainers to monitor post-publication update activity — not just initial submission content — and on developers to scrutinize publisher identities and extension identifiers rather than relying on visual similarity to trusted tools. As GlassWorm continues to evolve, the developer community and security researchers will need to keep pace with each iterative change in methodology.
Source: BleepingComputer