Cybersecurity researchers have uncovered a new and more sophisticated iteration of the GlassWorm malware campaign, highlighting a significant escalation in software supply chain attacks targeting developers. The latest wave of the campaign exploits the Open VSX registry, using trusted extension relationships to quietly distribute malicious payloads through developer tools.
According to security researchers, the attackers are now abusing extensionPack and extensionDependencies features within the Open VSX ecosystem to propagate malware. Instead of embedding malicious code directly inside each extension, the attackers upload extensions that initially appear legitimate. In later updates, those extensions begin silently pulling additional malicious components linked to the GlassWorm campaign. This tactic allows threat actors to establish trust with users before introducing the harmful payload.
Cyber Technology Insights: The Hidden Weak Link: How Supply Chain Attacks Are Redefining Cybersecurity in 2025
Security company Socket reported discovering at least 72 malicious extensions in the Open VSX registry since January 31, 2026. These extensions were designed to mimic widely used developer utilities such as code linters, formatters, code runners, and tools associated with AI-powered coding assistants like Clade Code and Google Antigravity.
Some of the identified malicious extensions included:
- angular-studio.ng-angular-extension
- crotoapp.vscode-xml-extension
- gvotcha.claude-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tool
- vce-brendan-studio-eich.js-debuger-vscode
The Open VSX registry has since taken steps to remove these extensions following the disclosure.
GlassWorm is an ongoing malware campaign that has repeatedly infiltrated developer marketplaces such as Microsoft Visual Studio Marketplace and Open VSX. The malicious extensions are designed to steal sensitive data, extract authentication secrets, drain cryptocurrency wallets, and even turn infected systems into proxy infrastructure for other cybercriminal operations.
Although the campaign was publicly highlighted in October 2025, researchers note that similar tactics had already appeared earlier in 2025 within malicious npm packages. In those earlier attacks, threat actors used invisible Unicode characters to conceal malicious code from developers reviewing source files.
The newest GlassWorm variant continues to employ several known evasion techniques. These include checks designed to avoid infecting systems using a Russian language locale and the use of Solana blockchain transactions as a “dead drop” mechanism to retrieve command-and-control server addresses. By leveraging blockchain infrastructure, attackers can dynamically update the location of their control servers while remaining difficult to track.
Cyber Technology Insights: Critical npm Breach: 20 Packages Exposed to Malware
Researchers also observed heavier code obfuscation in the new extensions and the rotation of Solana wallets used by the attackers. This approach makes detection more difficult and complicates efforts to track the campaign’s financial flows.
In addition to malicious extensions, investigators found that attackers are injecting open-source repositories with hidden Unicode characters that encode malware loaders. These characters remain invisible when viewed in standard code editors or terminals but decode into scripts capable of downloading and executing second-stage malware designed to steal tokens, credentials, and other secrets.
Between March 3 and March 9, 2026, at least 151 GitHub repositories were reportedly compromised using this method. Researchers also discovered two npm packages leveraging the same Unicode obfuscation technique: @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp.
Security experts believe the attackers are using advanced automation and possibly large language models to generate realistic code changes that conceal the malicious payloads. The injected commits often appear legitimate, containing documentation updates, small bug fixes, or version changes that blend seamlessly with the surrounding project activity.
Separately, researchers identified another wave of suspicious npm packages associated with a campaign initially labeled PhantomRaven. Endor Labs discovered 88 malicious packages uploaded between November 2025 and February 2026 through 50 disposable accounts. These packages were capable of collecting environment variables, CI/CD tokens, and system metadata from compromised machines.
The packages relied on a technique known as Remote Dynamic Dependencies (RDD), where dependencies are loaded from external HTTP URLs rather than the official npm registry. This allows attackers to modify or replace malicious payloads remotely without publishing a new package version, making detection significantly more difficult.
Although the packages were later claimed to be part of a security research experiment, analysts raised concerns about the scale and behavior of the campaign, noting the excessive data collection and lack of transparency surrounding the experiment.
The recent GlassWorm and related campaigns underscore the growing risks facing the open-source ecosystem, particularly as developers increasingly rely on third-party packages and extensions. Supply chain attacks that exploit trusted development tools are becoming more sophisticated, emphasizing the need for stronger verification processes, improved dependency monitoring, and enhanced security awareness within the software development community.
Cyber Technology Insights: JSON Web Token Security: Common JWT Vulnerabilities in Cloud and API Environments
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
