GlassWorm Campaign Exploits 72 VSX Extensions in Developer Supply-Chain Attack
- Mar 15
- 2 min read
Key Findings
* GlassWorm campaign identified targeting developers through 72 malicious Open VSX extensions
* Uses sophisticated supply-chain attack technique exploiting extension dependencies
* Targets development environments to steal secrets and compromise systems
* Employs advanced obfuscation and evasion techniques
* Spans multiple platforms including Open VSX, GitHub, and npm registries
Background
The GlassWorm campaign represents an evolving threat in software supply chain security, first detected in October 2025. Initially focused on infiltrating development marketplaces, the campaign has progressively refined its methods to evade detection and expand its attack surface.
Attack Methodology
Threat actors are now exploiting the Open VSX registry's extension architecture by abusing `extensionPack` and `extensionDependencies` mechanisms. This allows seemingly benign extensions to become delivery vehicles for malicious payloads after establishing initial trust.
Technical Characteristics
* Checks for Russian locale to avoid infecting specific systems
* Uses Solana transactions as dead drop resolvers for command-and-control infrastructure
* Employs invisible Unicode characters for payload obfuscation
* Rotates cryptocurrency wallets to prevent tracking
* Targets developer tools like linters, formatters, and AI coding assistants
Scope of Compromise
* 72 malicious Open VSX extensions identified since January 31, 2026
* 151 GitHub repositories estimated to be affected
* Two identified npm packages using similar techniques
* Targets include extensions mimicking popular development tools
Infection Mechanism
The attack leverages the automatic installation behavior of Visual Studio Code, where listed dependencies are automatically downloaded. By carefully constructing extension relationships, attackers can introduce malicious packages into development environments without immediate suspicion.
Mitigation Recommendations
* Implement strict extension vetting processes
* Regularly audit development environment dependencies
* Prioritize extensions from verified publishers
* Use software composition analysis tools
* Maintain updated security awareness training for developers
Sources
https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html
https://www.reddit.com/r/SecOpsDaily/comments/1rtk7ue/glassworm_supplychain_attack_abuses_72_open_vsx/
https://x.com/TheCyberSecHub/status/2032816571706704074
https://www.instagram.com/p/DV3kdCzjpNV/
https://cybersecuritynews.com/glassworm-campaign-uses-72-malicious-open-vsx-extensions/

Comments