A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 βsleeperβ extensions that are benign at upload but later deliver malicious payloads. Researchers report six extensions have already activated to deploy malware and recommend affected developers rotate secrets and clean their environments. #GlassWorm #OpenVSX
Keypoints
- Attackers uploaded 73 cloned OpenVSX extensions designed to act as dormant loaders that turn malicious after updates.
- Six of the extensions have been activated and confirmed to deliver malware, while the remainder are assessed as suspicious or dormant.
- Loader techniques include fetching secondary VSIX packages from GitHub, loading platform-specific .node modules, and using heavily obfuscated JavaScript that decodes at runtime.
- Variants mimic legitimate listings by copying icons, names, and descriptions, with publisher name and unique identifier as primary indicators of fakery.
- Socket published the full list of affected extensions and advises developers who installed them to rotate all secrets and thoroughly clean their development environments.