GlassWorm Campaign Expands with 72 Malicious Open VSX Extensions

GlassWorm Campaign Expands with 72 Malicious Open VSX Extensions

First seen 14 Mar 2026, 07:41 UTC GbhackersCybersecuritynewsCsoonlineThecyberexpressDarkreading+2 86% similarity 66.5

Article Content

Browse articles
ThreatCluster

The GlassWorm malware campaign has intensified its operations by utilizing 72 newly identified malicious Open VSX extensions. These extensions exploit transitive dependencies within developer environments, allowing the malware to spread more effectively. The Socket Research Team reported these findings on March 13, 2026, highlighting the campaign's sophisticated approach of embedding malicious payloads in dependencies rather than directly in initial extensions. This method broadens the attack surface, potentially affecting numerous developers and organizations using vulnerable extensions. The campaign continues to employ advanced techniques such as staged JavaScript execution and in-memory code execution. As of now, specific CVEs and remediation steps have not been disclosed, but the threat remains significant. Security professionals are advised to remain vigilant and monitor their environments for unusual activity related to these extensions.

Key Points: • GlassWorm campaign utilizes 72 malicious Open VSX extensions to infect developer environments. • Malware spreads through transitive dependencies, enhancing its reach and impact. • Advanced techniques like in-memory execution are employed, indicating a sophisticated threat.

ThreatCluster AI

Timeline

2026-03-13
Socket Research Team reports 72 malicious Open VSX extensions identified.

Community

Browse all →