Cybersecurity researchers have uncovered a large-scale malicious campaign involving fake Microsoft Visual Studio Code extensions published on the Open VSX repository, linked to a persistent information-stealing operation tracked as GlassWorm. The investigation has identified a total of 73 extensions that are connected to the activity cluster, with the campaign now being monitored under the updated designation GlassWorm v2. Security analysts report that these extensions were published at the start of the month and form part of an evolving software supply chain attack targeting developers through trusted extension marketplaces.
Out of the 73 identified extensions, six have been confirmed as directly malicious, while the remaining packages are described as sleeper extensions designed to appear harmless during initial installation. These sleeper packages mimic legitimate tools to gain user trust before activating malicious behavior through later updates. Security firm Socket, which has been tracking the campaign, noted that more than 320 related artifacts have been identified since 21 December 2025, indicating a sustained and expanding operation. The malicious extensions include names such as outsidestormcommand.monochromator-theme, keyacrosslaud.auto-loop-for-antigravity, krundoven.ironplc-fast-hub, boulderzitunnel.vscode-buddies, cubedivervolt.html-code-validate, and winnerdomain17.version-lens-tool. These are designed to blend into developer workflows while remaining undetected during initial installation.
Researchers highlighted that the attackers are leveraging cloned versions of legitimate extensions by typosquatting names and copying visual elements such as icons and descriptions from original packages. For example, cloned sleeper extensions imitate trusted tools like CEINTL.vscode-language-pack-tr while using nearly identical branding and descriptions to deceive users into installation. This method of visual duplication acts as a social engineering strategy, allowing the malicious extensions to accumulate installs organically before activating their payloads. Once trust is established, updates introduce malicious functionality without raising immediate suspicion among developers.
Further analysis shows that the campaign is evolving in complexity, with threat actors shifting tactics to evade detection. The attackers are increasingly relying on sleeper packages and transitive dependencies while using Zig based droppers to deploy secondary VSIX extensions hosted on GitHub. These secondary payloads are capable of spreading across multiple integrated development environments including VS Code, Cursor, Windsurf, and VSCodium using the –install-extension command. The malware is designed to propagate across developer systems and establish a deeper level of persistence while remaining hidden within legitimate development workflows.
The final stage of the infection chain focuses on data theft and system compromise. The payload is designed to avoid execution on Russian systems while targeting sensitive data such as credentials, browsing information, and stored secrets. It also installs a remote access trojan and deploys a rogue Chromium based extension to extract bookmarks, login data, and other stored information. According to Socket, the extension operates as a loader that retrieves and executes payloads after activation, keeping most of the malicious logic hidden within obfuscated JavaScript. This approach allows the campaign to maintain stealth while continuously updating its delivery mechanism and expanding its reach across developer ecosystems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
