GlassWorm Supply-Chain Attack Escalates, Exploiting 72 Malicious Open VSX Extensions to Target Developers
Cybersecurity researchers have identified a new phase in the GlassWorm campaign, marking a significant escalation in its propagation methods through the Open VSX registry. This development raises concerns about the security of developer tools and the potential for widespread exploitation.
Evolving Tactics in the GlassWorm Campaign
The latest findings indicate that the threat actor is no longer embedding the loader directly into each malicious listing. Instead, they are leveraging extensionPack and extensionDependencies to transform seemingly standalone extensions into vehicles for delivering malicious payloads in subsequent updates. This strategy allows a benign-looking package to pull in a separate GlassWorm-linked extension only after a level of trust has been established.
According to a report by Socket, a software supply chain security company, at least 72 new malicious Open VSX extensions have been discovered since January 31, 2026. These extensions are designed to mimic commonly used developer utilities, such as linters, formatters, code runners, and tools for AI-powered coding assistants like Clade Code and Google Antigravity.
The following is a list of some of the malicious extensions that have been removed from the Open VSX registry:
- angular-studio.ng-angular-extension
- crotoapp.vscode-xml-extension
- gvotcha.claude-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tool
- vce-brendan-studio-eich.js-debuger-vscode
Characteristics of the GlassWorm Malware
GlassWorm is an ongoing malware campaign that has infiltrated both the Microsoft Visual Studio Marketplace and Open VSX. Its malicious extensions are designed to steal sensitive information, drain cryptocurrency wallets, and exploit infected systems for other criminal activities.
The campaign was first flagged by Koi Security in October 2025. However, similar tactics, including the use of invisible Unicode characters to conceal malicious code, were identified as early as March 2025.
The latest iteration of GlassWorm retains several hallmark features, such as avoiding infection of systems with a Russian locale and utilizing Solana transactions as a dead drop resolver to enhance resilience against detection.
New Methods of Obfuscation and Evasion
The new set of malicious extensions exhibits heavier obfuscation techniques and rotates Solana wallets to evade detection. They exploit extension relationships to deploy malicious payloads, similar to how rogue dependencies in npm packages operate. Regardless of whether an extension is categorized as extensionPack or extensionDependencies in its package.json file, the editor installs all other extensions listed within it.
This tactic enables the GlassWorm campaign to use one extension as an installer for another malicious extension. This approach opens new avenues for supply chain attacks, where an attacker can initially upload a harmless VS Code extension to the marketplace to bypass review processes. Subsequently, they can update it to include a GlassWorm-linked package as a dependency.
As reported by thehackernews.com, Socket noted that an extension appearing non-transitive and benign at its initial publication can later become a transitive delivery vehicle for GlassWorm without any change to its apparent purpose.
Broader Implications Across Open-Source Repositories
In a concurrent advisory, Aikido linked the GlassWorm threat actor to a broader campaign affecting open-source repositories. Attackers have been injecting various repositories with invisible Unicode characters to encode malicious payloads. Although this content remains hidden in code editors and terminals, it decodes into a loader responsible for fetching and executing a secondary script aimed at stealing tokens, credentials, and secrets.
Between March 3 and March 9, 2026, an estimated 151 GitHub repositories were affected by this campaign. The same Unicode technique has also been utilized in two npm packages, indicating a coordinated multi-platform effort:
- @aifabrix/miso-client
- @iflow-mcp/watercrawl-watercrawl-mcp
Security researcher Ilyas Makari stated that the malicious injections do not appear in overtly suspicious commits. Instead, the surrounding changes are realistic, including documentation updates, version bumps, and minor refactors that align with the style of each target project. This level of specificity suggests that attackers may be employing advanced tools to generate convincing cover commits.
PhantomRaven: A Distinct Threat or Research Experiment?
In a related development, Endor Labs reported the discovery of 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 through 50 disposable accounts. These packages are designed to steal sensitive information from compromised machines, including environment variables, CI/CD tokens, and system metadata.
The activity is notable for its use of Remote Dynamic Dependencies (RDD), where the package.json metadata file specifies a dependency at a custom HTTP URL. This method allows operators to modify the malicious code dynamically and evade inspection.
While these packages were initially associated with the PhantomRaven campaign, Endor Labs later indicated that they were produced by a security researcher as part of a legitimate experiment. However, this claim was challenged due to several red flags, including the excessive data collection, lack of transparency, and the use of deliberately rotated account names and email addresses.
As of March 12, 2026, the package owner has made changes, replacing the data-harvesting payload with a simple “Hello, world!” message. Endor Labs emphasized that while the removal of extensive data collection is a positive step, it underscores the risks associated with URL dependencies. When packages rely on external code, authors maintain full control over the payload without needing to publish a new version. A single modification on the server can alter or disable the behavior of all dependent packages simultaneously.
