Cybersecurity researchers have flagged a brand new iteration of the GlassWorm marketing campaign that they are saying represents a “important escalation” in the way it propagates by way of the Open VSX registry.
“As a substitute of requiring each malicious itemizing to embed the loader straight, the menace actor is now abusing extensionPack and extensionDependencies to show initially standalone-looking extensions into transitive supply automobiles in later updates, permitting a benign-appearing package deal to start pulling a separate GlassWorm-linked extension solely after belief has already been established,” Socket stated in a report printed Friday.
The software program provide chain safety firm stated it found at the least 72 further malicious Open VSX extensions since January 31, 2026, concentrating on builders. These extensions mimic broadly used developer utilities, together with linters and formatters, code runners, and instruments for synthetic intelligence (AI)-powered coding assistants like Clade Code and Google Antigravity.
The names of a few of the extensions are listed beneath. Open VSX has since taken steps to take away them from the registry –
- angular-studio.ng-angular-extension
- crotoapp.vscode-xml-extension
- gvotcha.claude-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tool
- vce-brendan-studio-eich.js-debuger-vscode
GlassWorm is the title given to an ongoing malware marketing campaign that has repeatedly infiltrated Microsoft Visible Studio Market and Open VSX with malicious extensions designed to steal secrets and techniques and drain cryptocurrency wallets, and abuse contaminated methods as proxies for different legal actions.
Though the exercise was first flagged by Koi Safety in October 2025, npm packages utilizing the identical techniques – notably the usage of invisible Unicode characters to cover malicious code – had been recognized way back to March 2025.
The most recent iteration retains lots of the hallmarks related to GlassWorm: working checks to keep away from infecting methods with a Russian locale and utilizing Solana transactions as a lifeless drop resolver to fetch the command-and-control (C2) server for improved resilience.
However the brand new set of extensions additionally options heavier obfuscation and rotates Solana wallets to evade detection, in addition to abuses extension relationships to deploy the malicious payloads, much like how npm packages depend on rogue dependencies to fly beneath the radar. No matter whether or not an extension is said as “extensionPack” or “extensionDependencies” within the extension’s “package deal.json” file, the editor proceeds to put in each different extension listed in it.
In doing so, the GlassWorm marketing campaign makes use of one extension as an installer for an additional extension that is malicious. This additionally opens up new provide chain assault situations as an attacker first uploads a very innocent VS Code extension to {the marketplace} to bypass evaluate, after which it is up to date to checklist a GlassWorm-linked package deal as a dependency.
“Because of this, an extension that regarded non-transitive and relatively benign at preliminary publication can later turn into a transitive GlassWorm supply automobile with none change to its obvious function,” Socket stated.
In a concurrent advisory, Aikido attributed the GlassWorm menace actor to a mass marketing campaign that is spreading throughout open-source repositories, with the attackers injecting numerous repositories with invisible Unicode characters to encode a payload. Whereas the content material is not seen when loaded into code editors and terminals, it decodes to a loader that is accountable for fetching and executing a second-stage script to steal tokens, credentials, and secrets and techniques.
A minimum of 151 GitHub repositories are estimated to have been affected as a part of the marketing campaign between March 3 and March 9, 2026. As well as, the identical Unicode approach has been deployed in two totally different npm packages, indicating a coordinated, multi-platform push –
- @aifabrix/miso-client
- @iflow-mcp/watercrawl-watercrawl-mcp
“The malicious injections do not arrive in clearly suspicious commits,” safety researcher Ilyas Makari stated. “The encompassing adjustments are life like: documentation tweaks, model bumps, small refactors, and bug fixes which can be stylistically per every goal venture. This stage of project-specific tailoring strongly suggests the attackers are utilizing massive language fashions to generate convincing cowl commits.”
PhantomRaven or Analysis Experiment?
The event comes as Endor Labs stated it found 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 by way of 50 disposable accounts. The packages include performance to steal delicate data from the compromised machine, together with setting variables, CI/CD tokens, and system metadata.
The exercise stands out for the usage of Distant Dynamic Dependencies (RDD), the place the “package deal.json” metadata file specifies a dependency at a customized HTTP URL, thereby permitting the operators to switch the malicious code on the fly, in addition to bypass inspection.
Whereas the packages had been initially recognized as a part of the PhantomRaven marketing campaign, the appliance safety firm famous in an replace that they had been produced by a safety researcher as a part of a official experiment – a declare it challenged, citing three pink flags. This consists of the truth that the libraries gather much more data than mandatory, present no transparency to the person, and are printed by intentionally rotated account names and electronic mail addresses.
As of March 12, 2026, the proprietor of the packages has made further adjustments, swapping out the info harvesting payload delivered by way of a few of the npm packages printed over the three-month interval with a easy “Hiya, world!” Message.
“Whereas the removing of code that collected intensive data is actually welcome, it additionally highlights the dangers related to URL dependencies,” Endor Labs stated. “When packages depend on code hosted exterior the npm registry, authors retain full management over the payload with out publishing a brand new package deal model. By modifying a single file on the server – or just shutting it down – they’ll silently change or disable the conduct of each dependent package deal directly.”
