GlassWorm Campaign: 72 Malicious Open VSX Extensions Target Developers
These articles are AI-generated summaries. Please check the original sources for full details.
GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers
The GlassWorm campaign has significantly escalated its propagation by abusing extension relationships in the Open VSX registry. Researchers discovered at least 72 additional malicious extensions since January 31, 2026, targeting developers with tools mimicking AI assistants and linters. These malicious updates allow benign-appearing packages to pull separate malware-linked extensions after user trust is established.
Why This Matters
In ideal supply-chain security models, extensions are vetted at the point of entry, but GlassWorm demonstrates that attackers can bypass initial reviews by publishing benign packages and later updating them to include malicious transitive dependencies via extensionPack and extensionDependencies. This shift from direct embedding to transitive delivery vehicles allows attackers to establish trust before deploying payloads that steal secrets and cryptocurrency, effectively turning legitimate development environments into attack vectors. Furthermore, the use of Large Language Models to generate convincing cover commits for these updates makes it nearly impossible for developers to distinguish malicious activity from routine maintenance. This coordinated, multi-platform push across npm, GitHub, and Open VSX signifies a new level of sophistication in targeting developer infrastructure.
Key Insights
- Socket discovered 72 malicious Open VSX extensions targeting developers since January 31, 2026.
- 151 GitHub repositories were infected with invisible Unicode payloads between March 3 and March 9, 2026, according to Aikido.
- Attackers abuse extensionPack and extensionDependencies in package.json to force-install malicious secondary extensions transitively.
- Solana transactions are used as dead drop resolvers to fetch C2 server addresses for improved resilience against takedowns.
- Remote Dynamic Dependencies (RDD) were used in 88 npm packages to modify malicious code on the fly, as reported by Endor Labs.
Practical Applications
- Use Case: Security teams should scan repositories for invisible Unicode characters which encode malicious loaders as seen in the @iflow-mcp/watercrawl-watercrawl-mcp package.
- Pitfall: Relying on static package.json analysis is an anti-pattern when Remote Dynamic Dependencies (RDD) allow attackers to fetch external code at runtime.
- Use Case: Developers using Open VSX must audit the transitive dependency graph of extensions, as benign tools like linters can be updated to include GlassWorm-linked dependencies.
References:
Continue reading
Next article
GlitchTip vs Sentry: Choosing the Right Self-Hosted Error Tracking Platform
Related Content
GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools
24 malicious VS Code extensions mimic Flutter and React tools, using Rust implants and Solana-based C2 to target developers.
PyStoreRAT: GitHub-Distributed JavaScript RAT Targets Developers
A new JavaScript-based RAT, PyStoreRAT, is spreading through malicious GitHub repositories, leveraging OSINT and utility tool facades to compromise systems and steal cryptocurrency wallets.
ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
ClickFix campaign exploits compromised sites to deliver MIMICRAT, a custom C++ RAT using multi-stage PowerShell and Lua-based shellcode loaders.