Threat Management , Threat Intelligence , Ransomware , Malware , Critical Infrastructure Security , Supply chain GlassWorm attackers activate new ‘sleeper’ extensions on Open VSX April 28, 2026 Share By Laura French Attackers tied to the GlassWorm campaign have planted a new set of 73 “sleeper” extensions on Open VSX, with six being activated to deliver malware, Socket reported Saturday . GlassWorm malware targets the Microsoft VS Code extension ecosystem and aims to exfiltrate Open VSX, GitHub, npm and cryptocurrency wallet details in order to steal cryptocurrency and self-propagate using stolen credentials to publish more infected extensions. The campaign has been active since at least October 2025. In March, Socket discovered nearly 100 new malicious Open VSX extensions tied to the campaign, along with about 20 related “sleeper” extensions that did not yet contain malicious content. The company also discovered that the campaign began using malicious dependencies and imports of malware hosted on GitHub to deliver GlassWorm rather than including malicious code directly in extensions. The latest cluster of 73 extensions continues this pattern of evading detection through the use of seemingly benign impersonation extensions that are later activated with new “extensionPack” and “extensionDependencies” manifest fields, or by retrieving malware from external sources. “The extension’s source code alone no longer reflects the behavior it ultimately runs. By shifting critical logic outside of what tools typically scan, and spreading it across multiple delivery mechanisms, the threat actor increases the likelihood of evading detection,” the Socket Research Team wrote. GlassWorm extensions typically impersonate other extensions by using a similar name and copying the legitimate extension’s icon, description and README content. Six extensions confirmed to be malicious in the latest cluster include those impersonating the Monochromator theme , AutoAntigravity , IronPLC , VS Code Pets , HTML-validate and Version Lens . In some cases, the attacker added new extensionPack or extensionDependencies manifest fields that cause the extension to automatically install another malicious extension as a dependency. In other cases, code is added to install .vsix files hosted on GitHub, sometimes using native binaries and other times utilizing heavily obfuscated JavaScript that is decoded at runtime. As of Monday afternoon, both the confirmed malicious and suspected sleeper extensions were no longer available on the Open VSX marketplace. To combat the evolving GlassWorm campaign, Socket recommends reviewing manifest diffs for new extensionPack and extensionDependencies additions, as well as reviewing extensions’ update/install chains, rather than just their code, to detect potential malicious changes. Developers should also be wary of potential sleeper extensions that appear benign, but may receive malicious updates in the future, by looking for signs of impersonation such as a low install count or incorrect publisher name. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related Malware Tropic Trooper targets Chinese speakers with SumatraPDF trojan and VS Code tunnels SC Staff April 27, 2026 The campaign, attributed with high confidence to the persistent threat group Tropic Trooper, utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform, according to Zscaler ThreatLabz. Malware Fast16 malware: Pre-Stuxnet sabotage tool discovered SC Staff April 27, 2026 Fast16, referenced in a 2005 ShadowBrokers leak of NSA tools, utilized a Lua 5.0 virtual machine embedded within a service binary, "svcmgmt.exe," which controlled a kernel driver named "fast16.sys." Security Operations French police arrest hacker ‘HexDex’ for alleged widespread data theft SC Staff April 27, 2026 The investigation began in late December 2025 following approximately 100 reports of data theft. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Cybercast RSAC Preview: Exposure management takes center stage On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Corruption DNS Spoofing Defacement Dictionary Attack Domain Hijacking DumpSec Google Hacking Hybrid Attack Information Warfare Reconnaissance You can skip this ad in 5 seconds