Cybersecurity researchers have identified a new phase of the GlassWorm malware campaign that is spreading through malicious extensions hosted on the Open VSX registry, raising concerns about supply chain security within developer environments. According to a report from software supply chain security firm Socket, attackers have introduced a more advanced distribution method that allows seemingly harmless extensions to later become delivery mechanisms for malware. The updated campaign shows a shift in tactics where threat actors leverage extension relationships inside the Visual Studio Code ecosystem to silently introduce malicious components after users have already installed and trusted the original package.
Socket reported that at least 72 additional malicious extensions were discovered in the Open VSX registry since January 31, 2026. These extensions are designed to resemble legitimate developer tools such as linters, formatters, code runners, and utilities that assist with artificial intelligence based coding environments. Some also imitate tools connected to AI coding assistants including Clade Code and Google Antigravity. Examples of extensions that were identified include angular-studio.ng-angular-extension, crotoapp.vscode-xml-extension, gvotcha.claude-code-extension, mswincx.antigravity-cockpit, tamokill12.foundry-pdf-extension, turbobase.sql-turbo-tool, and vce-brendan-studio-eich.js-debuger-vscode. Open VSX administrators have since removed these packages from the registry following the discovery. The campaign reflects the persistent effort by threat actors to infiltrate developer ecosystems and exploit trusted repositories to distribute malware through supply chain pathways.
GlassWorm refers to a continuing malware operation that has repeatedly infiltrated extension marketplaces including Microsoft Visual Studio Marketplace and Open VSX. The malicious extensions deployed in these campaigns are designed to extract secrets, steal credentials, drain cryptocurrency wallets, and convert compromised systems into proxy nodes that support other criminal activities. Although the campaign was first publicly reported by Koi Security in October 2025, similar tactics had already appeared earlier in the year when researchers observed npm packages hiding malicious code using invisible Unicode characters. These characters conceal the payload inside files so that the malicious code remains hidden from developers when viewed in typical code editors or terminal environments. When executed, the hidden code decodes into a loader that retrieves additional scripts capable of extracting tokens, credentials, and sensitive project data from affected systems.
The latest version of the GlassWorm campaign introduces several technical adjustments intended to avoid detection and increase resilience. Researchers observed that the malicious extensions continue to include checks that prevent infection on systems configured with a Russian language locale. They also rely on transactions on the Solana blockchain as a method to retrieve command and control server addresses, allowing the infrastructure to remain flexible even if individual servers are taken down. In addition, attackers are rotating Solana wallets and introducing stronger code obfuscation techniques. One notable method involves using extensionPack and extensionDependencies features within extension configuration files. These settings allow one extension to install additional extensions automatically. By initially publishing a harmless extension and later modifying it to reference a malicious dependency, attackers can bypass review processes and convert previously trusted packages into distribution channels for the GlassWorm malware.
Researchers from Aikido also connected the activity to a broader campaign targeting open source repositories across multiple platforms. According to the advisory, attackers injected malicious content into numerous GitHub repositories using the same invisible Unicode technique. Between March 3 and March 9, 2026, an estimated 151 repositories were affected. Two npm packages, @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp, were also discovered using the same hidden code method, indicating that the campaign extends beyond extension marketplaces and into software development package ecosystems. Security researcher Ilyas Makari explained that the injected commits often appear legitimate because they contain routine changes such as documentation updates, version adjustments, or small code refactoring. The commits blend naturally with existing project activity, which suggests attackers may be using large language models to generate convincing changes that avoid suspicion.
Additional supply chain concerns emerged when Endor Labs identified 88 malicious npm packages uploaded between November 2025 and February 2026 through approximately 50 disposable developer accounts. These packages included functionality designed to collect sensitive data from compromised systems, including environment variables, CI CD tokens, and system metadata. The packages used a technique known as Remote Dynamic Dependencies, where dependency files reference code hosted on external HTTP locations rather than within the npm registry. This approach allows attackers to change the malicious payload at any time without publishing a new package version, making detection and analysis more difficult. The activity was initially linked to the PhantomRaven campaign, although the individual responsible later claimed it was part of a research experiment. Endor Labs disputed this explanation, noting that the packages collected excessive information, lacked transparency, and were distributed through rotating account identities and email addresses.
By March 12, 2026, the owner of the disputed packages modified several of them by replacing the data collection payload with a simple Hello world message. Security researchers said the change highlights the inherent risks associated with external dependency links. Because the malicious code is hosted outside the official package registry, attackers can modify or remove functionality without issuing updates that would normally trigger review or alert developers. This ability to silently change code behavior across all dependent packages reinforces ongoing concerns about software supply chain security within modern development environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
