GlassWorm Malware Exploits OpenVSX Extension to Infect Multiple IDEs

GlassWorm Malware Exploits OpenVSX Extension to Infect Multiple IDEs

First seen 10 Apr 2026, 08:45 UTC Aikido.DevCybersecuritynewsSecurityaffairs.Co 75% similarity 64.5

Article Content

Browse articles
ThreatCluster

A malicious extension named code-wakatime-activity-tracker has been identified on the OpenVSX marketplace, designed to spread the GlassWorm malware across multiple integrated development environments (IDEs) including VS Code, Cursor, and Windsurf. This extension masquerades as a legitimate productivity tool, utilizing a Zig-compiled native binary to stealthily install a malicious .vsix package into every compatible IDE found on the victim's machine. The attack targets all IDEs that support the VS Code extension format, significantly broadening its impact. The malware was first discovered in March 2025 and has evolved to include this new method of infection. The native binaries provide the malware with OS-level access, allowing it to operate outside the JavaScript sandbox. Developers using affected IDEs are at risk of having their systems compromised, with the potential for data theft and further exploitation. The situation remains critical as the malware continues to spread through this new vector.

Key Points: • A fake OpenVSX extension is spreading GlassWorm malware across multiple IDEs. • The malware uses a Zig-compiled native binary for stealthy installation. • Developers using VS Code, Cursor, and Windsurf are particularly at risk.

ThreatCluster AI

Timeline

2025-03-01
GlassWorm malware first appeared with malicious npm packages.
2026-04-08
New infection method via OpenVSX extension reported.
2026-04-10
Current status of the malware spread discussed.

Community

Browse all →