One extension looks harmless. Then it gets an update. After that, every developer who installed it is also running GlassWorm.
Security firm Socket published findings Friday identifying at least 72 additional malicious extensions in the Open VSX registry since January 31, 2026. The extensions mimic everyday developer tools — linters, formatters, code runners, and plugins for AI coding assistants impersonating services like Clade Code and Google Antigravity. Open VSX has since removed them.
What separates this wave from earlier GlassWorm activity is the mechanism of delivery. Rather than embedding malicious loaders directly into each listing, the threat actor now exploits two fields inside a VS Code extension’s package.json file: extensionPack and extensionDependencies. Both fields instruct the editor to automatically install every other extension they reference. The attacker uploads a clean extension first, earns whatever trust comes with time and downloads, then quietly amends the listing to declare a GlassWorm-linked package as a dependency.
“An extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose,” Socket said in its report.
How the Malware Operates
The core behavior of the campaign has remained consistent since it was first flagged by Koi Security in October 2025. Extensions check for a Russian locale and skip infection if found. They use Solana blockchain transactions as a dead drop resolver — querying the blockchain to retrieve the address of the command-and-control server, a technique designed to survive takedowns. Stolen data includes tokens, credentials, secrets, and cryptocurrency wallet contents. Infected machines are also abused as proxies for other criminal activity.
The newer extensions add heavier obfuscation and rotate Solana wallets to complicate detection. The tactic mirrors how malicious npm packages use rogue dependencies to slip past automated review.
More Read
The Wider Campaign
In a separate advisory published the same day, security firm Aikido attributed the same threat actor to a broader push across open-source repositories. Researcher Ilyas Makari identified at least 151 GitHub repositories compromised between March 3 and March 9, 2026, through injections of invisible Unicode characters. The characters are undetectable in standard code editors and terminals but decode to a loader that fetches and executes a second-stage script.
The commits carrying these injections do not look suspicious. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project,” Makari said. “This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.”
The same Unicode technique appeared in two separate npm packages, pointing to a coordinated effort across multiple platforms. The same invisible-character tactic in npm packages was first observed as far back as March 2025, according to the report.
Separately, Endor Labs disclosed 88 malicious npm packages uploaded across three waves between November 2025 and February 2026, distributed through 50 disposable accounts. Those packages target environment variables, CI/CD tokens, and system metadata, and employ a technique called Remote Dynamic Dependencies to load malicious behavior at runtime rather than at install time.
Photo by Laine Cooper on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
