GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions

Published:

27 april 2026 om 21:41:01

Alert date:

27 april 2026 om 22:02:51

Source:

bleepingcomputer.com

Supply Chain & Dependencies, Ransomware & Malware

A new wave of the GlassWorm malware campaign is targeting the OpenVSX ecosystem through 73 malicious 'sleeper' extensions. These extensions appear benign initially but become malicious after receiving updates. The campaign represents a sophisticated supply chain attack against the Visual Studio Code extension marketplace alternative. The sleeper approach allows the malware to bypass initial security screening and activate later. This attack vector poses significant risks to developers and organizations using OpenVSX extensions.

Technical details

GlassWorm campaign uses 73 "sleeper" extensions in OpenVSX that are initially benign but turn malicious after updates. The extensions act as thin loaders using three methods: retrieving secondary VSIX packages from GitHub at runtime and installing via CLI commands, loading platform-specific compiled modules (.node files) containing core logic for fetching additional payloads, and using heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions with encrypted or fallback URLs. Extensions are clones of legitimate listings with similar icons, naming, and descriptions but different publisher names and unique identifiers. Originally used invisible Unicode characters to hide malicious code.

Mitigation steps:

Developers who installed any of the 73 extensions are recommended to rotate all secrets and clean their environment. Check the full list of extensions published by Socket to identify affected installations.

Affected products:

OpenVSX
Visual Studio Code Marketplace
GitHub repositories
npm packages
macOS crypto wallet clients

Related CVE's:

Related threat actors:

GlassWorm

IOC's:

This article was created with the assistance of AI technology by Perceptive.