GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a “significant increase” in the way it spreads through the Open VSX registry.

“Instead of requiring all malicious packages to embed the loader directly, a threat actor now exploits extensionPack and extensionDependencies to turn seemingly independent extensions into vehicles that deliver replacements in recent updates, allowing a malicious package to start pulling a side-by-side extension linked to GlassWorm only after the Socket’s trust has been published in a report.

The software security firm said it found at least 72 malicious Open VSX extensions as of January 31, 2026, targeting developers. These extensions emulate widely used developer tools, including linters and formats, code runners, and artificial intelligence (AI)-enabled coding assistant tools such as Clade Code and Google Antigravity.

The names of other extensions are listed below. Open VSX since it took steps to remove it from the registry –

• extension-of-angular-studio.ng-angular
• crotoapp.vscode-xml-extension
• gvotcha.claude-code-extension
• mswincx.antigravity-cockpit
• tamokill12.foundry-pdf-extension
• turbobase.sql-turbo-tool
• vce-brendan-studio-eich.js-debuger-vscode

GlassWorm is the name given to an ongoing campaign of malware that has repeatedly infiltrated the Microsoft Visual Studio and Open VSX Marketplace with malicious extensions designed to steal passwords and extract cryptocurrency wallets, and abuse infected systems as proxies for other criminal activities.

Although the exploit was first flagged by Koi Security in October 2025, npm packages using similar tactics – specifically the use of invisible Unicode characters to hide malicious code – were identified back in March 2025.

The latest iteration maintains many of the symptoms associated with GlassWorm: making checks to avoid infecting systems with a Russian environment and using Solana sales as a dead drop solution to download the Command-and-control server (C2) to improve stability.

But the new set of extensions also features heavy obfuscation and spins Solana packages to avoid detection, as well as abusing extension relationships to send malicious payloads, similar to how npm packages rely on strong dependencies to fly under the radar. Regardless of whether an extension is declared as “extensionPack” or “extensionDependencies” in the extension’s “package.json” file, the compiler continues to install all other extensions in its list.

By doing so, the GlassWorm campaign uses one extension as an installer for another malicious extension. This also opens up new scenarios for supply chain attacks as an attacker first uploads a completely harmless VS Code extension to the marketplace so that it doesn’t pass an update, which is then updated to list a package linked to GlassWorm as a dependency.

“As a result, an extension that looked static and sensitive compared to the first release could later become a replacement delivery vehicle for GlassWorm without a change in its purpose,” said Socket.

In an advisory at the same time, Aikido says that the GlassWorm threat actor is involved in a large-scale campaign spread across open source collections, the attackers injecting various repositories with invisible Unicode characters to install paid code. Although the content is invisible when loaded in code editors and terminals, it generates code in the loader that is responsible for downloading and executing a second-stage script to steal tokens, credentials, and secrets.

No fewer than 151 GitHub repositories are estimated to have been affected as part of the campaign between March 3 and March 9, 2026. In addition, the same Unicode method was used in two different npm packages, indicating a coordinated, cross-platform push –

• @aifabrix/miso-client
• @iflow-mcp/watercrawl-watercrawl-mcp

“Dangerous injections don’t come from suspicious objects,” said security researcher Ilyas Makari. “The surrounding changes are real: documentation fixes, version bumps, minor refactors, and bug fixes that match the style of each target project. This level of project-specific tailoring strongly suggests that attackers are using large language models to make valid commits.”

PhantomRaven or Research Experiment?

The development comes as Endor Labs said it discovered 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 by 50 compromised accounts. The packages come with functionality to steal sensitive information from a compromised machine, including environment variables, CI/CD tokens, and system metadata.

The functionality stands out in the use of Remote Dynamic Dependencies (RDD), where the “package.json” metadata file specifies dependencies on a custom HTTP URL, thus allowing operators to modify malicious code on the fly, and pass testing.

While the packages were first identified as part of the PhantomRaven campaign, the application security company noted in an update that they were produced by a security researcher as part of a formal audit — a claim it challenged, citing three red flags. This includes the fact that libraries collect more information than is necessary, do not provide this to the user, and are published with deliberately misleading account names and email addresses.

As of March 12, 2026, the package owner has made additional changes, replacing the payment for harvesting data sent by other npm packages published over a three-month period with a simple “Hello, world!” The message.

“While the removal of extensive data collection code is welcome, it also highlights the risks associated with URL dependencies,” Endor Labs said. “When packages rely on code managed outside the npm registry, authors retain full control over the payload without publishing a new version of the package. By modifying a single file on the server – or simply shutting it down – they can silently change or disable the behavior of all dependent packages at once.”