As developer ecosystems become prime targets for supply chain attacks, malicious extensions are increasingly being used to infiltrate software environments and steal sensitive data.
Researchers have uncovered a large scale campaign involving 73 fake extensions on the Open VSX repository linked to the GlassWorm v2 malware. The operation, tracked by Socket, involves cloned versions of legitimate Visual Studio Code extensions designed to deceive developers and distribute malicious payloads. The findings highlight growing risks within developer toolchains, where trust in open source ecosystems can be exploited.
According to Socket, six of the identified extensions are actively malicious, while the remaining function as sleeper packages. These sleeper extensions appear harmless at first, mimicking legitimate tools with identical names, icons, and descriptions. Over time, they can be updated with malicious code, allowing attackers to build trust and increase download counts before activating their payloads. This tactic relies heavily on visual deception, making it difficult for users to distinguish between legitimate and compromised extensions.
The GlassWorm v2 malware campaign has evolved significantly, with more than 320 related artifacts identified since late 2025. Attackers are now using advanced techniques such as typosquatting and transitive dependencies to evade detection. By slightly altering extension names or embedding malicious components within dependency chains, they can bypass traditional security checks and reach a wider audience.
Once installed, the malicious extensions act as loaders rather than delivering the payload directly. They retrieve a secondary extension from repositories such as GitHub and install it across multiple integrated development environments on the infected system. This includes not only Visual Studio Code but also tools like Cursor, Windsurf, and VSCodium. The use of command line installation methods allows the malware to spread silently across development environments.
The ultimate objective of the campaign is to deploy a multi stage attack. The malware is designed to steal sensitive information, install a remote access trojan, and deploy a rogue browser extension based on Chromium. This extension can extract credentials, bookmarks, and other user data, significantly increasing the impact of the breach. Notably, the malware includes logic to avoid execution on Russian systems, a pattern often observed in certain threat actor operations.
The use of Zig based droppers and obfuscated JavaScript further complicates detection, enabling attackers to conceal malicious activity within seemingly legitimate code. By separating the loader from the payload, the campaign reduces the likelihood of being flagged during initial scans, making it more effective at bypassing security controls.
The discovery of the GlassWorm v2 malware campaign underscores a broader trend in cybersecurity, where attackers target developer environments as entry points into larger systems. As organizations rely heavily on open source tools and extensions, ensuring the integrity of software supply chains has become critical. Developers are advised to verify extension sources, monitor updates closely, and implement stricter security controls to mitigate the risk of compromise.
Recommended Cyber Technology News :
- Alchemy Expands Cybersecurity Capabilities with IOvations Acquisition
- Dell Unveils Cybersecurity Solutions for AI and Quantum Risks
- TCS Expands Google Cloud Partnership to Drive AI-Native Enterprise Transformation
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
