GLASSWORM MALWARE RETURNS WITH 73 HIDDEN EXTENSIONS

Security researchers have identified a renewed GlassWorm malware campaign targeting the OpenVSX ecosystem with 73 infected extensions designed to evade immediate detection. The attack uses a "sleeper" mechanism where extensions appear benign upon installation but become malicious following an update. This delay tactic complicates detection and allows the malware to establish a foothold before activating its payload. OpenVSX is an open-source registry for Visual Studio Code extensions. The platform's decentralized model, while offering community benefits, creates security challenges for vetting submissions. Researchers discovered the malicious extensions had been uploaded to the repository and were available for download. The GlassWorm campaign is not new. Previous iterations have targeted package repositories and developer tools. This latest variant demonstrates persistent efforts to compromise developer environments—high-value targets due to access to source code and deployment credentials. Affected users should audit recently installed extensions and review update histories. OpenVSX maintainers have been notified and have removed the identified malicious extensions from the repository. The incident highlights broader supply-chain security concerns in software development. Attackers increasingly target repositories and package managers as entry points, recognizing that compromised developer tools can affect downstream users and organizations. Developers are advised to review extensions for suspicious behavior, verify extension sources, and consider using only officially maintained or widely-trusted extensions. Organizations should implement code review processes and monitor extension activity within development environments. OpenVSX users can check their installed extensions against published lists of affected packages. Those who installed any of the 73 malicious extensions should remove them immediately and monitor systems for unauthorized activity.