"This approach achieves the same outcome as the binary-based variant, but keeps the delivery logic in obfuscated JavaScript," Socket said. "The extension acts as a loader, while the payload is retrieved and executed after activation."
Socket's analysis and the scope of GlassWorm v2
Security researchers at application security company Socket have flagged a cluster of 73 cloned Microsoft Visual Studio Code extensions on the Open VSX repository that are linked to a persistent information‑stealing campaign Socket is tracking as GlassWorm v2. According to Socket, all of the extensions were published at the start of the month, and the company has identified more than 320 related artifacts dating back to December 21, 2025.
The six confirmed malicious extensions
Among the 73 cloned packages, Socket confirmed six as malicious. The identified malicious extensions are:
- outsidestormcommand.monochromator-theme
- keyacrosslaud.auto-loop-for-antigravity
- krundoven.ironplc-fast-hub
- boulderzitunnel.vscode-buddies
- cubedivervolt.html-code-validate
- winnerdomain17.version-lens-tool
Socket describes the remainder of the cluster as seemingly harmless "sleeper" packages: clones that build trust through normal installs before a later update flips behavior to deliver malware.
Typosquatting, "visual trust," and sleeper packages
The cloned packages frequently use typosquatting—variants of legitimate package names—and duplicate the same icon and description as the originals to mislead developers. Socket points to examples such as CEINTL.vscode-language-pack-tr versus Emotionkyoseparate.turkish-language-pack to illustrate how names are altered and visuals copied. That duplicated appearance creates what Socket calls "visual trust," a social‑engineering tactic intended to raise install counts organically before an update introduces malicious logic.
Zig-based droppers, VSIX secondary payloads, and targeted IDEs
Socket reports the threat actors behind GlassWorm v2 have been evolving their tactics to evade detection. The campaign pivots to sleeper packages and leverages transitive dependencies, while using Zig‑based droppers to deploy a secondary VSIX extension hosted on GitHub. The initial Open VSX extension functions as an innocuous loader that retrieves this secondary VSIX from GitHub and installs it into every integrated development environment identified on the host.
Socket lists the IDEs targeted by the secondary payload as VS Code, Cursor, Windsurf, and VSCodium. Installation is performed using the standard CLI switch, "--install-extension", allowing the VSIX to be added to multiple IDEs on a developer's machine.
Regardless of delivery method, Socket says the end goal is consistent: run malware that avoids Russian systems, steal sensitive data, install a remote access trojan (RAT), and stealthily deploy a rogue Chromium‑based extension to siphon credentials, bookmarks, and other information.
What this means for developers, enterprises, and open-source maintainers
- Developers: Expect cloned or typosquatted packages that mirror icons and descriptions; the reported use of sleeper packages means an extension that initially appears benign can later retrieve and install a secondary VSIX payload into multiple IDEs.
- Enterprises and security teams: The campaign's use of transitive dependencies and a Zig‑based dropper to install VSIX files across IDEs underscores a pathway for malware to reach workstations via development tools and to deploy a RAT and rogue browser extension for credential theft.
- Open‑source maintainers and repository operators: The cluster of 73 cloned extensions on Open VSX highlights how name collisions, copied metadata, and hosting of secondary payloads on GitHub can be abused to trade on "visual trust" and scale installs before malicious activation.
Socket continues to track the latest iteration under the moniker GlassWorm v2 and has cataloged the known malicious extensions and broader artifact set. The disclosure illustrates a shift from binary‑based delivery to obfuscated JavaScript loaders and multi‑IDE VSIX deployment—tactics the company says preserve the attackers' outcome while changing the mechanics of delivery.
Read the original Socket‑based disclosure at The Hacker News: https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html
