Cybersecurity researchers have warned of a new iteration of the GlassWorm campaign, claiming that it has “significantly expanded” its method of spread through the Open VSX registry.
“Rather than requiring loaders to be directly embedded in every malicious list, threat actors are now exploiting extensionPack and extensionDependency to turn extensions that initially appear standalone into transitive delivery vehicles in later updates, allowing seemingly benign packages to begin pulling extensions linked to individual GlassWorms only if trust has already been established.” he said in a report released Friday.
The software supply chain security company announced that it has discovered at least 72 additional malicious Open VSX extensions targeting developers since January 31, 2026. These extensions mimic widely used developer utilities, such as tools for linters and formatters, code runners, and artificial intelligence (AI)-powered coding assistants, such as Clade Code and Google Antigravity.
Below are the names of some extensions. Open VSX then took steps to remove them from the registry.
angular-studio.ng-angular-extension crotoapp.vscode-xml-extension gvotcha.claude-code-extension mswincx.antigravity-cockpit tamokill12.foundry-pdf-extension turbobase.sql-turbo-tool vce-brendan-studio-eich.js-debuger-vscode
GlassWorm is the name given to an ongoing malware campaign that is repeatedly injecting malicious extensions into Microsoft Visual Studio Marketplace and Open VSX with the goal of stealing secrets, exfiltrating cryptocurrency wallets, and exploiting infected systems as proxies for other criminal activities.
This activity was first reported by Koi Security in October 2025, but npm packages using the same tactics, specifically the use of invisible Unicode characters to hide malicious code, were identified as far back as March 2025.
The latest iteration retains many of the features associated with GlassWorm. This means running checks to prevent systems from being infected with Russian locales, and using Solana transactions as a dead drop resolver to fetch command and control (C2) servers to improve resiliency.
However, the new extension set features stronger obfuscation and not only rotates Solana wallets to avoid detection, but also exploits extension relationships to deploy malicious payloads, similar to how npm packages rely on rogue dependencies to fly under the radar. Regardless of whether the extension is declared as “extensionPack” or “extensionDependency” in the extension’s “package.json” file, the editor will continue to install all other extensions listed there.
In doing so, the GlassWorm campaign uses one extension as an installer for another malicious extension. This also opens up new supply chain attack scenarios, as attackers can first upload completely benign VS Code extensions to the marketplace to bypass reviews, which are then updated to list GlassWorm-linked packages as dependencies.
“As a result, an extension that appeared non-transitive and relatively benign when first published could later become a transitive GlassWorm distribution vehicle without changing its apparent purpose,” Socket said.
In a concurrent advisory, Aikido believes the GlassWorm attackers are responsible for a large-scale campaign spread across open source repositories, with the attackers injecting invisible Unicode characters into various repositories to encode payloads. This content is not visible when loaded into a code editor or terminal, but is decoded into a loader that fetches and executes a second stage script to steal tokens, credentials, and secrets.
It is estimated that no fewer than 151 GitHub repositories were affected as part of the campaign between March 3 and March 9, 2026. Additionally, the same Unicode technology has been deployed in two different npm packages, demonstrating a coordinated multi-platform push.
@aifabrix/miso-client @iflow-mcp/watercrawl-watercrawl-mcp
“Malicious injections are not among the obviously suspicious commits,” security researcher Ilyas Makari said. “The surrounding changes are real: documentation tweaks, version upgrades, small refactorings, and bug fixes that are stylistically consistent with each target project. This level of project-specific adjustments strongly suggests that the attacker is using an extensive language model to generate convincing cover commits.”
Phantom Raven or a research experiment?
The development comes after Endor Labs announced it had discovered 88 new malicious npm packages uploaded via 50 single-use accounts in three waves from November 2025 to February 2026. This package contains functionality to steal sensitive information such as environment variables, CI/CD tokens, and system metadata from a compromised machine.
This activity is highlighted by the use of remote dynamic dependencies (RDDs). The “package.json” metadata file specifies dependencies with custom HTTP URLs, allowing operators to modify malicious code on the fly, as well as bypass inspection.
These packages were initially identified as part of the PhantomRaven campaign, but the application security company noted in an update that the packages were created by security researchers as part of a legitimate experiment. The company disputed this claim, citing three red flags. This includes the fact that the library collects more information than necessary, provides no transparency to its users, and intentionally swaps account names and email addresses for public viewing.
As of March 12, 2026, the package owner has made additional changes, replacing the data collection payload distributed via some of the npm packages that have been published for three months with a simple “Hello, world!” message.
“While the removal of code that collected extensive information is certainly welcome, it also highlights the risks associated with URL dependencies,” Endor Labs said. “If a package depends on code hosted outside of the npm registry, authors have complete control over the payload without having to publish a new package version. They can silently change or disable the behavior of all dependent packages at once by modifying a single file on the server or by simply shutting down the file.”
Source link
