Skip to content
Tech News
← Back to articles

Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain

2026-04-28 | original
read original get VS Code Extension Pack → more articles
Why This Matters

The resurgence of GlassWorm malicious VS Code extensions highlights the evolving threat landscape targeting software supply chains, emphasizing the need for enhanced security measures for developers and organizations. As attackers adopt more sophisticated evasion tactics, the industry must prioritize proactive detection and vetting of extensions to protect software integrity and user data.

Key Takeaways

The ongoing GlassWorm campaign has deployed a fresh wave of malicious Visual Studio (VS) Code extensions, many of which seem initially benign but later deploy self-replicating malware that can poison the software supply chain.

Researchers from Socket discovered a new cluster of 73 so-called "sleeper" extensions beginning in April, which is related to activity by the self-propagating malware reported last month on the Open VSX marketplace. The latest wave demonstrates that the campaign continues to scale and evolve, according to a recent report published by the Socket Research Team.

A sleeper extension or package is a threat actor-controlled imposter that is published before it's weaponized to build trust and generate downloads, but later can be updated to deliver malware. Earlier GlassWorm campaigns seeded sleeper extensions that remained dormant or fetched payloads later from external sources.

Related:Vercel Employee's AI Tool Access Led to Data Breach

The latest wave of malicious extensions, however, include a capability to automatically fetch and execute malicious payloads at a later date, demonstrating a new evasion and propagation tactic, according to the report.

"Some variants rely on external payload retrieval, others rely on bundled native binaries, including reused installer components seen in prior GlassWorm activity," according to the research team. However, the common pattern throughout GlassWorm's latest activity "is that the extension itself acts as a thin loader," according to the report.

"The extension's source code alone no longer reflects the behavior that ultimately runs," the team wrote. "By shifting critical logic outside of what tools typically scan, and spreading it across multiple delivery mechanisms, the threat actor increases the likelihood of evading detection."

Supply Chain Threat Persists

GlassWorm is a family of self-propagating malware first documented as it spread across Open VSX, an open source alternative to Microsoft's Visual Studio Marketplace, by researchers at Koi Security in October 2025. Its name comes from a unique coding technique found in its original incarnation of the stealthy malware that used printable Unicode characters that don't render in a code editor, basically making the malicious code invisible.

GlassWorm's goal is to infect software developers with infostealers to obtain a target organization's secrets and credentials, which an attacker can then further weaponize to publish poisoned versions of projects maintained by that victim. This creates a downstream effect on the supply chain and allows the malware to self-replicate; when a victim downloads that poisoned package, they inadvertently facilitate its propagation.

... continue reading

Explore topics: visual studio code glassworm open vsx socket research malicious extensions
Related:
GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions
DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'
Expanding Swift's IDE Support
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
GlassWorm Malware Evolves to Hide in Dependencies

© 2026 GoKawiil

About | Editorial Policy | Contact