A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 “sleeper” extensions that turn malicious after an update.
Six of the extensions have been activated and deliver malware, while researchers assess with high confidence that the rest of them are dormant or at least suspicious.
When initially uploaded, the extensions are benign but deliver the payload at a later stage, revealing the attacker’s true intention.
“This count may change as new updates continue to appear, but the pattern is consistent with earlier GlassWorm waves,” say researchers at application security company Socket.
GlassWorm is an ongoing supply chain attack campaign first observed in October, initially using invisible Unicode characters to hide malicious code that steals cryptocurrency wallets and developer credentials.
It has since expanded across multiple ecosystems, including GitHub repositories, npm packages, and both the Visual Studio Code Marketplace and OpenVSX. They have also been observed to target macOS users with trojanized crypto wallet clients.
A recent wave in mid-March 2026 showed significant scale, affecting hundreds of repositories and dozens of extensions.
However, operations of such a scale can be noisy and leave multiple traces, as multiple distinct research teams caught the activity early and helped block it.
The latest wave suggests that the attacker’s intent is to change their strategy by submitting innocuous extensions to a single ecosystem and introducing the malicious payload in a subsequent update, rather than embedding it in the extensions.
Socket has found that the 73 extensions involved in the most recent GlassWorm campaign are clones of legitimate listings, designed to trick developers who do not pay much attention beyond visuals.
In one case, the attacker used the same icon as the legitimate extension, adopted a similar naming and description. Although there are subtle differences, the main indicators are the name of the publisher and the unique identifier.
Instead of carrying the malware, the extensions now act as thin loaders that fetch it via one of the following methods:
- The extension retrieves a secondary VSIX package from GitHub at runtime and installs it using CLI commands.
- The extensions load platform-specific compiled modules (.node files) that contain the core logic, including fetching additional payloads and executing installation routines across supported editors.
- Some variants rely entirely on heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions, sometimes including encrypted or fallback URLs for payload retrieval.
Socket did not provide technical details about the newest payload. Previously, these attacks were aimed at stealing cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
The cybersecurity company has published the full list of the 73 extensions believed to be part of the latest GlassWorm wave. Developers who installed any of them are recommended to rotate all secrets and clean their environment.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
