73 GlassWorm Sleeper Extensions Found in Open VSX Marketplace

The GlassWorm supply chain campaign targeting developers has escalated again. Security researchers at Socket identified 73 additional suspicious extensions on the Open VSX marketplace, with at least six already weaponized to deliver malware.

This April wave follows the March 2026 discovery of 72 malicious extensions tied to the same operation. The attackers are refining their approach: establishing trust through "sleeper" packages before activating malicious payloads through normal update channels.

TL;DR

• What happened: 73 new GlassWorm-linked extensions discovered on Open VSX, with 6 confirmed malicious
• Who's affected: Developers using VS Code, Cursor, Windsurf, or VSCodium with Open VSX extensions
• Attack method: Sleeper extensions build download counts before activating malware payloads
• Action required: Audit installed extensions, verify publisher namespaces, remove suspicious packages

How Sleeper Extensions Work

The sleeper model inverts traditional supply chain attacks. Instead of publishing immediately malicious code — which security scanners might flag — attackers seed marketplaces with benign-looking packages first.

These initial versions do exactly what they advertise: language packs, theme modifications, or development utilities. They accumulate downloads and positive impressions. The publisher's account gains apparent legitimacy.

Then comes the activation. Through the normal extension update mechanism, attackers push new versions containing malicious functionality. By then, the package has visual trust: download counts, favorable ratings, and history suggesting reliability.

Socket's research identifies two primary payload delivery methods in the activated extensions.

Native Binary Approach

Some GlassWorm extensions load platform-specific .node modules containing embedded GitHub URLs pointing to malicious VSIX packages. When the extension runs, it downloads and executes secondary payloads targeting the developer's machine.

The code specifically checks for VS Code, Cursor, Windsurf, and VSCodium — covering the major editors built on the VS Code foundation.

Sample malicious installer hashes (SHA256):

• 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168
• 4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd

Obfuscated JavaScript Approach

Other variants avoid native binaries entirely, instead using heavily obfuscated JavaScript that decodes at runtime. The decoded scripts fetch VSIX payloads from attacker-controlled GitHub repositories.

Earlier GlassWorm waves used Solana blockchain transaction memos as dead-drop channels for encoded payloads — a technique that complicated takedowns since blockchain transactions are immutable.

Confirmed Malicious Extensions

Socket confirmed these six extensions have activated malicious payloads:

1. outsidestormcommand.monochromator-theme
2. keyacrosslaud.auto-loop-for-antigravity
3. krundoven.ironplc-fast-hub
4. boulderzitunnel.vscode-buddies
5. cubedivervolt.html-code-validate
6. winnerdomain17.version-lens-tool

The remaining 67 extensions are classified as high-confidence sleepers — packages matching GlassWorm patterns that haven't yet been weaponized.

Social Engineering Tactics

The campaign demonstrates careful attention to visual trust signals. Extensions like emotionkyoseparate.turkish-language-pack closely mimic the legitimate MS-CEINTL.vscode-language-pack-tr extension, using identical icons and descriptions.

A developer scanning quickly would see a Turkish language pack with reasonable download counts and familiar branding. The differences are subtle: slightly different publisher namespace, hosted on Open VSX rather than Microsoft's official marketplace.

This pattern repeats across the 73 identified packages. The attackers clone legitimate extension metadata, establish presence under similar-sounding publisher names, and wait.

Why Open VSX?

Open VSX emerged as an alternative to Microsoft's Visual Studio Marketplace, serving users of VS Code forks like VSCodium, Cursor, and Eclipse Theia. It operates with less restrictive publishing requirements than Microsoft's marketplace.

That accessibility cuts both ways. Lower barriers to entry mean faster publishing for legitimate developers — and easier infiltration for attackers.

The GlassWorm campaign has exploited this gap consistently. While Microsoft's marketplace faces its own extension security challenges, Open VSX's smaller team and open publishing model create softer targets.

Indicators of Compromise

GitHub repositories hosting malicious payloads:

• github.com/SquadMagistrate10/wnxtgkih
• github.com/francesca898/dqwffqw
• github.com/ColossusQuailPray/oiegjqde

VSIX payload hash:

• 97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd

What Developers Should Do

Audit existing extensions — Review installed Open VSX packages against the published IOC list. Remove any matches immediately.

Verify publishers — Check that extension publishers match official namespaces. Microsoft's language packs come from MS-CEINTL, not random-looking handles.

Inspect download counts — Legitimate popular extensions have substantial download histories. A "popular" tool with suspiciously low numbers deserves scrutiny.

Prefer official sources — Where possible, install extensions from Microsoft's marketplace or directly from verified developer repositories.

Monitor for updates — Attackers weaponize through updates. Unexpected functionality changes in previously trusted extensions warrant investigation.

The Bigger Picture

Developer toolchains have become attractive targets precisely because developers operate with elevated privileges. Source code access, deployment credentials, and infrastructure secrets all pass through development environments.

Supply chain attacks against npm packages, PyPI modules, and now IDE extensions reflect this calculus. Compromise a tool that developers trust, and downstream access follows.

The GlassWorm campaign's evolution from direct malicious publishing to patient sleeper tactics shows attackers adapting to improved detection. When security tools got better at catching immediately malicious packages, the operation pivoted to building trust first.

For enterprise security teams, this means extension governance can't rely solely on initial vetting. Continuous monitoring of extension behavior — what they access, what they download, how they communicate — becomes essential.

Socket maintains updated tracking on their GlassWorm v2 research page as new artifacts emerge.