72 Open VSX Extensions Abused in GlassWorm Supply‑Chain Attack

Cybersecurity researchers are tracking a new wave of the GlassWorm operation that they describe as a “significant escalation” in how the malware spreads via the Open VSX extension registry.

What’s changed?
According to a report published Friday by Socket, the threat actor has shifted from embedding a loader in every malicious extension to abusing extensionPack and extensionDependencies. This lets attackers ship an innocuous‑looking extension at first, then through later updates quietly turn it into a transitive installer that pulls in a separate, GlassWorm‑linked payload after trust has been established.

Scale and Targets

Socket said it has identified at least 72 additional malicious Open VSX extensions since January 31, 2026, aimed squarely at developers. These trojanized extensions impersonate common developer tooling linters, formatters, code runners, and utilities for AI‑assisted coding (e.g., Claude Code and Google Antigravity).

Open VSX has removed the following example packages (among others):

• angular-studio.ng-angular-extension
• crotoapp.vscode-xml-extension
• gvotcha.claude-code-extension
• mswincx.antigravity-cockpit
• tamokill12.foundry-pdf-extension
• turbobase.sql-turbo-tool
• vce-brendan-studio-eich.js-debuger-vscode

What Is GlassWorm?

GlassWorm is an ongoing malware campaign that has repeatedly seeded the Microsoft Visual Studio Marketplace and Open VSX with malicious extensions designed to exfiltrate secrets, drain cryptocurrency wallets, and misuse infected machines as proxies for further criminal activity.

• The campaign was initially spotlighted by Koi Security in October 2025.
• Related activity in the npm ecosystem particularly the use of invisible Unicode characters to conceal malicious code dates back to March 2025.

TTPs: What’s New and What’s Persisting

The latest GlassWorm wave keeps several recognizable traits:

• Locale checks to avoid infecting systems set to Russian
• Using Solana transactions as a dead drop to retrieve the C2 endpoint, improving resiliency

New wrinkles include:

• Heavier obfuscation
• Rotating Solana wallets to dodge detection
• Systematic abuse of extension relationships (extensionPack / extensionDependencies) to deliver payloads much like rogue dependency chains in npm

Regardless of whether an extension declares extensionPack or extensionDependencies in its package.json, the editor will install every listed extension, enabling one package to act as a stealth installer for another, malicious one.

This pattern unlocks new supply‑chain routes: an attacker can first publish a harmless VS Code extension that passes review, then later update it to depend on a GlassWorm‑linked package.

As Socket puts it, an extension that initially appeared non‑transitive and relatively benign can later transform into a transitive delivery vector without altering its visible purpose.

Parallel Activity: Unicode‑Hidden Payloads Across Repos

In a separate advisory, Aikido ties the GlassWorm actor to a mass campaign spreading across open‑source repositories. The attackers inject invisible Unicode characters that encode a payload; while the code looks clean in editors and terminals, it decodes into a loader that retrieves and runs a second‑stage script to steal tokens, credentials, and secrets.

• ~151 GitHub repositories are estimated to have been impacted between March 3 and March 9, 2026.
• The same Unicode trick appeared in two npm packages, signaling a multi‑platform push:
  • @aifabrix/miso-client
  • @iflow-mcp/watercrawl-watercrawl-mcp

Security researcher Ilyas Makari noted that these malicious changes don’t show up as obviously suspicious commits. Instead, they are wrapped in plausible updates docs tweaks, version bumps, small refactors, and stylistically consistent bug fixes suggesting the attackers may be using large language models to craft convincing cover commits.

PhantomRaven or a “Research Experiment”?

Endor Labs reports discovering 88 malicious npm packages shipped in three waves between November 2025 and February 2026 via 50 disposable accounts. These packages harvest sensitive data from compromised hosts, including environment variables, CI/CD tokens, and system metadata.

A key differentiator is the use of Remote Dynamic Dependencies (RDD) where package.json points to a dependency hosted at a custom HTTP URL. This allows operators to change malicious code on the fly and evade pre‑publish inspection.

Initially linked to the PhantomRaven campaign, the packages were later claimed to be part of a legitimate security experiment by a researcher. Endor Labs disputed that explanation, citing three red flags:

1. The libraries collect far more data than would be necessary for research.
2. There is no user transparency about data collection.
3. The packages were published under rotating identities (names and emails).

As of March 12, 2026, the package owner has modified some of the payloads, replacing the data‑harvesting code with a simple “Hello, world!” message.

Endor Labs warns this pivot underscores the inherent risk of URL‑based dependencies: when code lives outside the npm registry, publishers retain full control over the payload without releasing a new version. By editing a single server‑hosted file or taking it offline—the author can silently alter or disable the behavior of every dependent package at once.