UPDATE
The ongoing GlassWorm campaign has deployed a fresh wave of malicious Visual Studio (VS) Code extensions, many of which seem initially benign but later deploy self-replicating malware that can poison the software supply chain.
Researchers from Socket discovered a new cluster of 73 so-called “sleeper” extensions beginning in April, which is related to activity by the self-propagating malware reported last month on the Open VSX marketplace. The latest wave demonstrates that the campaign continues to scale and evolve, according to a recent report published by the Socket Research Team.
A sleeper extension or package is a threat actor-controlled imposter that is published before it’s weaponized to build trust and generate downloads, but later can be updated to deliver malware. Earlier GlassWorm campaigns seeded sleeper extensions that remained dormant or fetched payloads later from external sources.
The latest wave of malicious extensions, however, include a capability to automatically fetch and execute malicious payloads at a later date, demonstrating a new evasion and propagation tactic, according to the report.
“Some variants rely on external payload retrieval, others rely on bundled native binaries, including reused installer components seen in prior GlassWorm activity,” according to the research team. However, the common pattern throughout GlassWorm’s latest activity “is that the extension itself acts as a thin loader,” according to the report.
“This is a tactical shift toward survivability and evasion: the malware is less tied to a single obvious malicious file in the extension source and more spread across updates, external payload hosting, obfuscation, native binaries, and cross-editor installation behavior,” Philipp Burckhardt, head of threat intelligence at Socket, tells Dark Reading.
Supply Chain Threat Persists
GlassWorm is a family of self-propagating malware first documented as it spread across Open VSX, an open source alternative to Microsoft’s Visual Studio Marketplace, by researchers at Koi Security in October 2025. Its name comes from a unique coding technique found in its original incarnation of the stealthy malware that used printable Unicode characters that don’t render in a code editor, basically making the malicious code invisible.
GlassWorm’s goal is to infect software developers with infostealers to obtain a target organization’s secrets and credentials, which an attacker can then further weaponize to publish poisoned versions of projects maintained by that victim. This creates a downstream effect on the supply chain and allows the malware to self-replicate; when a victim downloads that poisoned package, they inadvertently facilitate its propagation.
“The risk is full compromise of a developer workstation,” Burckhardt says. “These extensions run inside developer environments that often have access to source code, credentials, API keys, SSH keys, cloud tokens, package publishing credentials, and internal systems.”
At least six of the extensions already have been activated with malware, while the others are sleepers or appear potentially suspicious, according to the report. The number of GlassWorm extensions also remains in flux, because it’s unclear how many may activate to become malicious. However, they follow a pattern consistent with other GlassWorm infections in that they “are first published without an obvious payload, then later updated to deliver malware through the normal extension update path,” the team wrote.
The extensions also demonstrate an “impersonation pattern” to mimic legitimate extensions on Open VSX to trick developers into installing malicious ones. In fact, attackers are cloning legitimate listings almost exactly — replicating names, icons, descriptions, and even README content — while only changing subtle details like the publisher name and unique identifier.
In one example, a fake Turkish language package closely mimics the official version, making the differences easy to miss during routine browsing, according to the Socket team. “The difference is subtle enough that a developer browsing quickly could miss it,” according to the report. “This is the core social engineering pattern behind the latest GlassWorm cluster: cloned listings create enough visual trust to attract installs before any malware is introduced.”
Increased Evasion Demands a Response
The latest dump of GlassWorm extensions doesn’t show technical innovation, Idan Dardikman, chief technology officer (CTO) and co-founder at Koi Security, tells Dark Reading. However, it does show a maturing threat actor “running the same playbook at larger scale and with all tools deployed at once,” he says, which means the GlassWorm threat continues to persist.
As campaigns like this expand, it makes it harder than ever for developers to differentiate between legitimate packages and extensions and malicious ones, perpetuating the existing risk to the software supply chain. For this, Socket urges caution to organizations whose developers use public sites that share code for various software projects.
Specifically, before downloading any code that will deployed in a production environment, developers should examine factors such as download counts and try to verify if the package or extension is coming from a legitimate user by reviewing extension publisher identity, age, download patterns, and naming similarity before approving use, Burckhardt says. They can also audit installed extensions for recent updates, especially newly published or low-reputation Open VSX extensions, to protect their environments from bad code.
“The important thing to remember when it comes to extension security is that a clean initial version is no longer enough to establish trust,” Burckhardt says. “Organizations need continuous monitoring of extension updates and transitive installation behavior, because these campaigns are increasingly designed to become malicious only after publication.”
To help developers recognize malicious extensions related to GlassWorm, the Socket team included a list of indicators of compromise (IoCs) in their report that features the confirmed malware-activated extensions as well as sleeper extensions. The researchers also included IoCs related to native installer binaries and various payloads, including a downloaded VSX payload and links to GitHub payload hosting sites.
This story was updated at 12:25 p.m. on April 28 to reflect comments from Socket.
