GlassWorm has expanded across the Open VSX ecosystem by publishing at least 72 malicious extensions and using developer-facing packages to spread loaders indirectly. The campaign abuses manifest fields like extensionPack and extensionDependencies for transitive installs, impersonates popular developer tools to gain trust, and has updated loader infrastructure and obfuscation methods including Solana memo dead drops and relocated decryption keys. #GlassWorm #OpenVSX
Keypoints
- GlassWorm now leverages extensionPack and extensionDependencies to deliver malware transitively through Open VSX extensions.
- Researchers discovered at least 72 additional malicious Open VSX extensions beginning January 31, 2026.
- Many malicious extensions impersonate widely used developer tools and inflate download counts to appear legitimate.
- The GlassWorm loader still uses staged JavaScript, geofencing, Solana memo dead drops, and in-memory execution while adopting RC4/base64 obfuscation and moving keys into HTTP headers.
- Open VSX has removed many listings, but some transitively malicious extensions remained active, indicating ongoing takedown efforts are needed.
Read More: https://thecyberexpress.com/glassworm-malicious-campaign/