GlassWorm Malware Exploits OpenVSX Extension to Infect Multiple IDEs

Severity: High (Score: 64.5)

Sources: Cybersecuritynews, Aikido.Dev

Summary

A malicious extension named code-wakatime-activity-tracker has been identified on the OpenVSX marketplace, designed to spread the GlassWorm malware across multiple integrated development environments (IDEs) including VS Code, Cursor, and Windsurf. This extension masquerades as a legitimate productivity tool, utilizing a Zig-compiled native binary to stealthily install a malicious .vsix package into every compatible IDE found on the victim's machine. The attack targets all IDEs that support the VS Code extension format, significantly broadening its impact. The malware was first discovered in March 2025 and has evolved to include this new method of infection. The native binaries provide the malware with OS-level access, allowing it to operate outside the JavaScript sandbox. Developers using affected IDEs are at risk of having their systems compromised, with the potential for data theft and further exploitation. The situation remains critical as the malware continues to spread through this new vector. Key Points: • A fake OpenVSX extension is spreading GlassWorm malware across multiple IDEs. • The malware uses a Zig-compiled native binary for stealthy installation. • Developers using VS Code, Cursor, and Windsurf are particularly at risk.

Key Entities

• Glassworm (malware)
• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Trojan (attack_type)
• T1036 - Masquerading (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1056 - Input Capture (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Cursor (company)
• MacOS (platform)
• OpenVSX Marketplace (platform)
• Windows (platform)
• Windsurf (platform)
• VS Code (tool)
• Cmd.exe (tool)