Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a “significant escalation” in how it propagates through the Open VSX registry.
“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established,” Socket said in a report published Friday.
The software supply chain security company said it discovered at least 72 additional malicious Open VSX extensions since January 31, 2026, targeting developers. These extensions mimic widely used developer utilities, including linters and formatters, code runners, and tools for artificial intelligence (AI)-powered coding assistants like Clade Code and Google Antigravity.
The names of some of the extensions are listed below. Open VSX has since taken steps to remove them from the registry –
- angular-studio.ng-angular-extension
- crotoapp.vscode-xml-extension
- gvotcha.claude-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tool
- vce-brendan-studio-eich.js-debuger-vscode
GlassWorm is the name given to an ongoing malware campaign that has repeatedly infiltrated Microsoft Visual Studio Marketplace and Open VSX with malicious extensions designed to steal secrets and drain cryptocurrency wallets, and abuse infected systems as proxies for other criminal activities.
Although the activity was first flagged by Koi Security in October 2025, npm packages using the same tactics – particularly the use of invisible Unicode characters to hide malicious code – were identified as far back as March 2025.
The latest iteration retains many of the hallmarks associated with GlassWorm: running checks to avoid infecting systems with a Russian locale and using Solana transactions as a dead drop resolver to fetch the command-and-control (C2) server for improved resilience.
But the new set of extensions also features heavier obfuscation and rotates Solana wallets to evade detection, as well as abuses extension relationships to deploy the malicious payloads, similar to how npm packages rely on rogue dependencies to fly under the radar. Regardless of whether an extension is declared as “extensionPack” or “extensionDependencies” in the extension’s “package.json” file, the editor proceeds to install every other extension listed in it.
In doing so, the GlassWorm campaign uses one extension as an installer for another extension that’s malicious. This also opens up new supply chain attack scenarios as an attacker first uploads a completely harmless VS Code extension to the marketplace to bypass review, after which it’s updated to list a GlassWorm-linked package as a dependency.
“As a result, an extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose,” Socket said.
In a concurrent advisory, Aikido attributed the GlassWorm threat actor to a mass campaign that’s spreading across open-source repositories, with the attackers injecting various repositories with invisible Unicode characters to encode a payload. While the content isn’t visible when loaded into code editors and terminals, it decodes to a loader that’s responsible for fetching and executing a second-stage script to steal tokens, credentials, and secrets.
No less than 151 GitHub repositories are estimated to have been affected as part of the campaign between March 3 and March 9, 2026. In addition, the same Unicode technique has been deployed in two different npm packages, indicating a coordinated, multi-platform push –
- @aifabrix/miso-client
- @iflow-mcp/watercrawl-watercrawl-mcp
“The malicious injections don’t arrive in obviously suspicious commits,” security researcher Ilyas Makari said. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.”
PhantomRaven or Research Experiment?
The development comes as Endor Labs said it discovered 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 via 50 disposable accounts. The packages come with functionality to steal sensitive information from the compromised machine, including environment variables, CI/CD tokens, and system metadata.
The activity stands out for the use of Remote Dynamic Dependencies (RDD), where the “package.json” metadata file specifies a dependency at a custom HTTP URL, thereby allowing the operators to modify the malicious code on the fly, as well as bypass inspection.
While the packages were initially identified as part of the PhantomRaven campaign, the application security company noted in an update that they were produced by a security researcher as part of a legitimate experiment – a claim it challenged, citing three red flags. This includes the fact that the libraries collect far more information than necessary, provide no transparency to the user, and are published by deliberately rotated account names and email addresses.
As of March 12, 2026, the owner of the packages has made additional changes, swapping out the data harvesting payload delivered via some of the npm packages published over the three-month period with a simple “Hello, world!” Message.
“While the removal of code that collected extensive information is certainly welcome, it also highlights the risks associated with URL dependencies,” Endor Labs said. “When packages rely on code hosted outside the npm registry, authors retain full control over the payload without publishing a new package version. By modifying a single file on the server – or simply shutting it down – they can silently change or disable the behavior of every dependent package at once.”
