GlassWorm v2: 73 Fake VS Code Extensions Discovered on Open VSX

A cluster of 73 malicious extensions linked to GlassWorm v2 discovered on Open VSX. Attackers use sleeper packages to evade security checks.

GlassWorm v2: 73 Fake VS Code Extensions Discovered on Open VSX
GlassWorm v2: 73 Fake VS Code Extensions Discovered on Open VSX

Seventy-three fake extensions have been identified on the Open VSX repository, linked to the GlassWorm v2 information theft campaign. The discovery, announced on April 27, 2026, by cybersecurity researchers, highlights a significant tactical evolution: the use of "sleeper packages" to build trust over time before activating malware.

Socket, a company specializing in software security, has classified the cluster as GlassWorm v2. Six extensions were confirmed to be actively malicious, while the others function as sleeper packages, published to accumulate credibility before receiving malicious updates.

How "sleeper packages" operate

The strategy behind this campaign represents a shift from traditional approaches. Instead of immediately distributing malware, attackers publish seemingly legitimate extensions that contain no malicious code at the time of installation. These packages are created by newly registered GitHub accounts with one or two public repositories.

The extensions use typosquatting techniques and copy icons and descriptions from original versions to create what researchers define as "visual trust." The names of the two extensions confirmed as malicious are: 'outsidestormcommand.monochromator-theme' and 'keyacrosslaud.auto-loop-for-antigravity'.

Socket explained the technical mechanism: "This approach achieves the same outcome as the binary-based variant, but keeps the delivery logic in obfuscated JavaScript. The extension acts as a loader, while the payload is retrieved and executed after activation."

Cross-IDE propagation

Once activated, the payload is retrieved from GitHub and installed in every IDE identified on the system. The '--install-extension' command allows the malware to spread across VS Code, Cursor, Windsurf, and VSCodium without requiring user interaction.

The final goal of the campaign is multi-faceted: avoid systems located in Russia, steal sensitive data from the development environment, install a RAT (Remote Access Trojan), and distribute a rogue Chromium extension designed to steal credentials.

The timeline of the GlassWorm campaign

Monitoring of artifacts linked to GlassWorm began on December 21, 2025. Since that date, researchers have identified over 320 total artifacts linked to the campaign. All 73 extensions in the new cluster were published in early April 2026.

Previously, on October 17, 2025, seven OpenVSX extensions had already been compromised in the first phase of the attacks, recording a total of 35,800 downloads. Ten extensions were still actively distributing malware at the time of that discovery.

The GlassWorm campaign has proven capable of self-sustaining and self-propagating autonomously, combining invisible code, blockchain-based command-and-control, and full RAT functionality. Attackers primarily targeted the Open VSX marketplace, with one instance also detected on the Microsoft VS Code Marketplace, which was subsequently removed.

The context of supply chain attacks

Software supply chain attacks have become an increasingly exploited vector. GlassWorm represents an evolution from one-off compromises: it builds autonomous, self-propagating malware capable of spreading rapidly through normal extension updates and dependency mechanisms.

Users who had installed infected extensions were compromised immediately, as GlassWorm was already an active threat before its discovery. The self-propagating nature of the malware, combined with delivery logic in obfuscated JavaScript, makes detection particularly complex for traditional security controls.

Frequently Asked Questions

What are "sleeper packages" in the GlassWorm v2 malware?
They are extensions published as seemingly legitimate, without initial malicious code. They are used to build trust and receive malicious updates later, evading security checks at the time of publication.
Which IDEs are targeted by GlassWorm v2?
The malware targets VS Code, Cursor, Windsurf, and VSCodium, automatically installing itself via the '--install-extension' command in every IDE detected on the system.
How many malicious extensions were discovered on Open VSX?
Seventy-three fake extensions linked to GlassWorm v2 have been identified. Six are confirmed as actively malicious, while the others function as sleeper packages.

This article is a summary based exclusively on the listed sources.

Sources