Cybersecurity researchers have identified a new iteration of the Glassworm campaign, which they say represents a “significant evolution” in how it spreads through the OpenVSX registry.
“Instead of requiring each malicious catalog to directly embed the loader, the threat actor is now abusing extensionpacks and extension dependencies to turn extensions that initially appear standalone into transitive delivery vehicles in a subsequent update, allowing the benign-looking package to begin pulling a separate Glassworm-linked extension,” Socket said in a report published Friday.
The software supply chain security company said it has discovered at least 72 additional malicious OpenVSX extensions dating back to January 31, 2026, targeting developers. These extensions mimic widely used developer utilities, including linters and formatter, code runners, and artificial intelligence (AI)-powered coding assistants such as tools from Clad Code and Google AntiGravity.
The names of some extensions are listed below. OpenVSX has since taken steps to remove them from the registry –
- angular-studio.ng-angular-extend
- crotoapp.vscode-xml-extension
- gvotcha.cloud-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tools
- vce-brandon-studio-etch.js-debugger-vscode
Glassworm is the name given to an ongoing malware campaign that has repeatedly infiltrated the Microsoft Visual Studio Marketplace and OpenVSX with malicious extensions designed to steal secrets and drain cryptocurrency wallets and misuse infected systems as proxies for other criminal activities.
Although the activity was first flagged by Koi Security in October 2025, npm packages using similar tactics – specifically the use of invisible Unicode characters to hide malicious code – were identified as early as March 2025.
The latest iteration retains many of the hallmarks associated with Glassworm: running checks to avoid infecting systems with the Russian locale and using Solana transactions as a dead drop resolver to bring up command-and-control (C2) servers for better resiliency.
But the new set of extensions also heavily obfuscates and circumvents Solana wallets to avoid detection, as well as abusing extension relationships to deploy malicious payloads, in the same way that npm packages rely on rogue dependencies to fly under the radar. Regardless of whether an extension is declared as “ExtensionPack” or “ExtensionDependencies” in the extension’s “package.json” file, the editor proceeds to install every other extension listed in it.
In doing so, the Glassworm campaign uses one extension as an installer for another extension that is malicious. This also opens up new supply chain attack scenarios as an attacker first uploads a completely harmless VS Code extension to the Marketplace to bypass review, after which it is updated to list the Glassworm-linked package as a dependency.
“As a result, an extension that appeared non-infectious and comparatively benign at initial publication may later become a transmissible glassworm delivery vehicle without any change in its apparent purpose,” Sockett said.
In a concurrent advisory, Aikido attributed the Glassworm threat actor to a larger campaign that is spreading across open-source repositories, in which attackers are injecting various repositories with invisible Unicode characters to encode payloads. Although the content is not visible when loaded in code editors and terminals, it decodes a loader that is responsible for fetching and executing a second-stage script to steal tokens, credentials, and secrets.
At least 151 GitHub repositories are estimated to have been affected as part of the campaign between March 3 and March 9, 2026. Additionally, the same Unicode technology has been deployed in two different npm packages, indicating a coordinated, multi-platform push –
- @efabricks/miso-client
- @iflow-mcp/watercrawl-watercrawl-mcp
“Malicious injections do not occur in obviously suspicious commits,” said security researcher Elias Makari. “The surrounding changes are realistic: documentation changes, version constraints, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project-specific tailoring strongly suggests that the attackers are using large language models to generate solid cover commits.”
Phantomraven or research experiment?
The development comes as Andor Labs said it discovered 88 new malicious NPM packages uploaded in three waves via 50 disposable accounts between November 2025 and February 2026. The packages come with the functionality to steal sensitive information from the compromised machine, including environment variables, CI/CD tokens, and system metadata.
This activity is for the use of remote dynamic dependencies (RDDs), where the “package.json” metadata file specifies a dependency on a custom HTTP URL, allowing operators to instantly modify malicious code, as well as bypass inspection.
While the packages were initially identified as part of the PhantomRaven campaign, the application security company noted in an update that they were crafted by a security researcher as part of a legitimate experiment — a claim that was challenged, citing three red flags. This includes the fact that libraries collect far more information than necessary, provide no transparency to the user, and are published by deliberately obfuscated account names and email addresses.
As of March 12, 2026, the package owner blocked data harvesting payloads distributed through certain NPM packages published over a three-month period by sending a simple “Hello, World!” Is swapped with. Message.
“While removing code that collects extensive information is certainly welcome, it also highlights the risks associated with URL dependency,” Andor Labs said. “When packages depend on code hosted outside the npm registry, authors retain full control over the payload without publishing a new package version. By modifying a file on the server – or simply turning it off – they can silently change or disable the behavior of each dependent package all at once.”
