GlassWorm Malware Campaign Targets OpenVSX with 73 Malicious Extensions

GlassWorm Malware Campaign Targets OpenVSX with 73 Malicious Extensions

First seen 27 Apr 2026, 12:34 UTC CybersecuritynewsThehackernewsBleepingcomputerScworldDarkreading+2 86% similarity 72.5

Article Content

Browse articles
ThreatCluster

A resurgence of the GlassWorm malware campaign has been identified, targeting the OpenVSX ecosystem with 73 'sleeper' extensions that become malicious after updates. Six of these extensions have already been activated to deliver malware, while the remaining are suspected to be dormant. Initially benign, these extensions are designed to trick developers by mimicking legitimate ones, utilizing similar icons and descriptions. The campaign is a continuation of a supply chain attack strategy first observed in October 2025, which has previously affected various ecosystems, including GitHub and npm packages. The latest wave follows a significant attack in March 2026, which impacted hundreds of repositories. Researchers from Socket have recommended that developers who installed any of the affected extensions rotate their secrets and clean their environments. The full list of the 73 extensions has been published for awareness and mitigation.

Key Points: • 73 sleeper extensions linked to the GlassWorm malware campaign have been identified. • Six extensions are currently delivering malware, with the rest likely dormant. • Developers are advised to rotate secrets and clean their environments if affected.

ThreatCluster AI

Timeline

2025-10-01
GlassWorm campaign first observed.
2026-03-15
Significant wave of GlassWorm attacks documented.
2026-04-26
Discovery of 73 new sleeper extensions linked to GlassWorm.
2026-04-27
Articles published detailing the latest GlassWorm campaign.

Community

Browse all →