Threat actors are abusing extension dependency relationships in the Open VSX registry to indirectly deliver malware in a new phase of the GlassWorm supply-chain campaign.
Researchers at Socket said they have identified at least 72 additional malicious Open VSX extensions linked to the campaign since January 31, 2026. The extensions appear to target developers by posing as helpful tools, such as linters, formatters, database utilities, or integrations for AI coding assistants, while serving as delivery vehicles for a malware loader linked to the GlassWorm operation.
“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing ‘extensionPack’ and ‘extensionDependencies’ to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling separate GlassWorm-linked extension only after trust has already been established,” Socket researchers said in a blog post.
The new campaign technically retains the same core GlassWorm tradecraft while improving survivability and evasion, the researchers added.
Supply-chain attack hiding in extension relationships
extensionPack and extensionDependencies are two features commonly used by Visual Studio Code extensions to bundle or require other extensions.
According to Socket, threat actors are publishing clean-looking extensions that, after gaining user trust and passing marketplace checks, are later updated to include dependencies on separate extensions that contain the GlassWorm loader. When installed or updated, the editor automatically installs all referenced extensions, including the malicious payload.
This transitive delivery model creates a supply-chain pathway similar to dependency abuse in package ecosystems like npm. A recent abuse included a maintainer’s compromise, leading to malicious updates spreading a backdoor malware. The infamous Shai-Hulud campaign that compromised over 800 packages by November, 2025 is another instance of self-propagating dependency abuse.
The new approach likely lowers operational overhead for attackers. Instead of embedding the loader in every malicious extension, they can maintain a smaller number of payload extensions while distributing them through a wider network of dependency relationships.
The evolving GlassWorm
Earlier research into the GlassWorm operation has revealed techniques such as heavy code obfuscation, the use of Unicode characters to hide malicious logic, and infrastructure that retrieves command-and-control servers through blockchain transactions, making the campaign more resilient to takedowns.
The latest wave also mimics widely used developer tools to maximise installation chances. “The extensions overwhelmingly impersonate widely installed developer utilities: linters and formatters like ESLint and Prettier, code runners, popular language tooling for Angular, Flutter, Python, and Vue, and common quality-of-life extensions like vscode-icons, WakaTime, and Better Comments,” the researchers said. “Notably, the campaign also targets AI developer tooling, with extensions targeting Claude Code, Codex, and Antigravity.”
The researchers added that as of March 13, Open VSX has removed the majority of the transitively malicious extensions, yet a few remain live, indicating ongoing takedowns.
Socket published indicators of compromise (IOCs) tied to the campaign, including the names of dozens of malicious Open VSX extensions and associated publisher accounts believed to be linked to the operation. Additionally, the researchers recommend treating extension dependencies with the same scrutiny typically applied to software packages. Organizations should monitor extension updates, audit dependency relationships, and restrict installation to trusted publishers where possible, as attackers increasingly exploit the developer tooling ecosystem as a supply-chain entry point.
No Responses