Researchers warn a new GlassWorm campaign has escalated by abusing Open VSX extensionPack and extensionDependencies to turn benign-looking extensions into transitive delivery vehicles that deploy malicious payloads after trust is established. Socket and other analysts found dozens of malicious Open VSX extensions and linked techniques—including invisible Unicode obfuscation and Solana-based C2s—spreading across GitHub and npm. #GlassWorm #OpenVSX
Keypoints
- Attackers abuse extensionPack and extensionDependencies to convert benign extensions into GlassWorm delivery vehicles.
- Socket discovered at least 72 malicious Open VSX extensions that mimic popular developer tools and AI assistant integrations.
- The campaign uses invisible Unicode obfuscation, heavier code obfuscation, Solana transactions for C2, and rotating wallets to evade detection.
- Aikido attributed related injections to 151 GitHub repositories and identified the same Unicode technique in two npm packages.
- Endor Labs flagged 88 npm packages using Remote Dynamic Dependencies to remotely modify payloads and harvest sensitive tokens and credentials.
Read More: https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html