top of page

GlassWorm Campaign Exploits 72 VSX Extensions in Developer Supply-Chain Attack

  • Mar 15
  • 2 min read

Key Findings


* GlassWorm campaign identified targeting developers through 72 malicious Open VSX extensions


* Uses sophisticated supply-chain attack technique exploiting extension dependencies


* Targets development environments to steal secrets and compromise systems


* Employs advanced obfuscation and evasion techniques


* Spans multiple platforms including Open VSX, GitHub, and npm registries


Background


The GlassWorm campaign represents an evolving threat in software supply chain security, first detected in October 2025. Initially focused on infiltrating development marketplaces, the campaign has progressively refined its methods to evade detection and expand its attack surface.


Attack Methodology


Threat actors are now exploiting the Open VSX registry's extension architecture by abusing `extensionPack` and `extensionDependencies` mechanisms. This allows seemingly benign extensions to become delivery vehicles for malicious payloads after establishing initial trust.


Technical Characteristics


* Checks for Russian locale to avoid infecting specific systems


* Uses Solana transactions as dead drop resolvers for command-and-control infrastructure


* Employs invisible Unicode characters for payload obfuscation


* Rotates cryptocurrency wallets to prevent tracking


* Targets developer tools like linters, formatters, and AI coding assistants


Scope of Compromise


* 72 malicious Open VSX extensions identified since January 31, 2026


* 151 GitHub repositories estimated to be affected


* Two identified npm packages using similar techniques


* Targets include extensions mimicking popular development tools


Infection Mechanism


The attack leverages the automatic installation behavior of Visual Studio Code, where listed dependencies are automatically downloaded. By carefully constructing extension relationships, attackers can introduce malicious packages into development environments without immediate suspicion.


Mitigation Recommendations


* Implement strict extension vetting processes


* Regularly audit development environment dependencies


* Prioritize extensions from verified publishers


* Use software composition analysis tools


* Maintain updated security awareness training for developers


Sources


  • https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1rtk7ue/glassworm_supplychain_attack_abuses_72_open_vsx/

  • https://x.com/TheCyberSecHub/status/2032816571706704074

  • https://www.instagram.com/p/DV3kdCzjpNV/

  • https://cybersecuritynews.com/glassworm-campaign-uses-72-malicious-open-vsx-extensions/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page