Threat actors behind the GlassWorm campaign have evolved their tactics, now abusing extension dependency relationships in the Open VSX registry to distribute malware through a sophisticated supply chain attack targeting software developers.
Transitive Dependency Abuse
Researchers at Socket have identified at least 72 additional malicious Open VSX extensions linked to the campaign since January 31, 2026. Rather than embedding malicious payloads directly in every extension, the threat actors are now leveraging extensionPack and extensionDependencies features to create transitive delivery mechanisms.
How the attack works:
- Attackers publish clean-looking extensions that pass marketplace security checks
- After gaining user trust, the extensions are updated to include dependencies on separate packages containing the GlassWorm loader
- When installed or updated, the editor automatically installs all referenced extensions, including the malicious payload
- This allows a benign-appearing package to begin pulling GlassWorm-linked extensions only after trust has been established
Developer Tools Impersonated
The malicious extensions overwhelmingly impersonate widely-used developer utilities to maximize installation rates:
- Linters and formatters: ESLint, Prettier
- Code runners and language tooling: Angular, Flutter, Python, Vue
- Quality-of-life extensions: vscode-icons, WakaTime, Better Comments
- AI developer tooling: Claude Code, Codex, and Antigravity
This mirrors dependency abuse tactics seen in package ecosystems like npm, including the infamous Shai-Hulud campaign that compromised over 800 packages by November 2025.
GlassWorm Tradecraft
Earlier research into GlassWorm revealed sophisticated evasion techniques:
- Heavy code obfuscation
- Unicode characters to hide malicious logic
- Infrastructure that retrieves command-and-control servers through blockchain transactions, making takedowns more difficult
Defensive Recommendations
Organizations should:
- Treat extension dependencies with the same scrutiny as software packages
- Monitor extension updates and audit dependency relationships
- Restrict installation to trusted publishers where possible
- Review Socket’s published indicators of compromise (IOCs) for malicious extension names and publisher accounts
As of March 13, Open VSX has removed the majority of the transitively malicious extensions, though a few remain live as takedowns continue.
