Cybersecurity researchers have flagged a brand new iteration of the GlassWorm marketing campaign that they are saying represents a “significant escalation” in the way it propagates via the Open VSX registry.
“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established,” Socket mentioned in a report revealed Friday.
The software program provide chain safety firm mentioned it found no less than 72 extra malicious Open VSX extensions since January 31, 2026, focusing on builders. These extensions mimic extensively used developer utilities, together with linters and formatters, code runners, and instruments for synthetic intelligence (AI)-powered coding assistants like Clade Code and Google Antigravity.
The names of among the extensions are listed beneath. Open VSX has since taken steps to take away them from the registry –
- angular-studio.ng-angular-extension
- crotoapp.vscode-xml-extension
- gvotcha.claude-code-extension
- mswincx.antigravity-cockpit
- tamokill12.foundry-pdf-extension
- turbobase.sql-turbo-tool
- vce-brendan-studio-eich.js-debuger-vscode
GlassWorm is the title given to an ongoing malware marketing campaign that has repeatedly infiltrated Microsoft Visible Studio Market and Open VSX with malicious extensions designed to steal secrets and techniques and drain cryptocurrency wallets, and abuse contaminated techniques as proxies for different legal actions.
Though the exercise was first flagged by Koi Safety in October 2025, npm packages utilizing the identical techniques – significantly using invisible Unicode characters to cover malicious code – had been recognized way back to March 2025.
The most recent iteration retains lots of the hallmarks related to GlassWorm: operating checks to keep away from infecting techniques with a Russian locale and utilizing Solana transactions as a lifeless drop resolver to fetch the command-and-control (C2) server for improved resilience.
However the brand new set of extensions additionally options heavier obfuscation and rotates Solana wallets to evade detection, in addition to abuses extension relationships to deploy the malicious payloads, just like how npm packages depend on rogue dependencies to fly below the radar. No matter whether or not an extension is asserted as “extensionPack” or “extensionDependencies” within the extension’s “package.json” file, the editor proceeds to put in each different extension listed in it.
In doing so, the GlassWorm marketing campaign makes use of one extension as an installer for one more extension that is malicious. This additionally opens up new provide chain assault eventualities as an attacker first uploads a very innocent VS Code extension to {the marketplace} to bypass evaluation, after which it is up to date to record a GlassWorm-linked bundle as a dependency.
“As a result, an extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose,” Socket mentioned.
In a concurrent advisory, Aikido attributed the GlassWorm menace actor to a mass marketing campaign that is spreading throughout open-source repositories, with the attackers injecting varied repositories with invisible Unicode characters to encode a payload. Whereas the content material is not seen when loaded into code editors and terminals, it decodes to a loader that is chargeable for fetching and executing a second-stage script to steal tokens, credentials, and secrets and techniques.
A minimum of 151 GitHub repositories are estimated to have been affected as a part of the marketing campaign between March 3 and March 9, 2026. As well as, the identical Unicode method has been deployed in two totally different npm packages, indicating a coordinated, multi-platform push –
- @aifabrix/miso-client
- @iflow-mcp/watercrawl-watercrawl-mcp
“The malicious injections don’t arrive in obviously suspicious commits,” safety researcher Ilyas Makari mentioned. “The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.”
PhantomRaven or Analysis Experiment?
The event comes as Endor Labs mentioned it found 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 through 50 disposable accounts. The packages include performance to steal delicate data from the compromised machine, together with surroundings variables, CI/CD tokens, and system metadata.
The exercise stands out for using Distant Dynamic Dependencies (RDD), the place the “package.json” metadata file specifies a dependency at a customized HTTP URL, thereby permitting the operators to change the malicious code on the fly, in addition to bypass inspection.
Whereas the packages had been initially recognized as a part of the PhantomRaven marketing campaign, the applying safety firm famous in an replace that they had been produced by a safety researcher as a part of a reliable experiment – a declare it challenged, citing three purple flags. This consists of the truth that the libraries gather much more data than needed, present no transparency to the consumer, and are revealed by intentionally rotated account names and e mail addresses.
As of March 12, 2026, the proprietor of the packages has made extra modifications, swapping out the info harvesting payload delivered through among the npm packages revealed over the three-month interval with a easy “Hello, world!” Message.
“While the removal of code that collected extensive information is certainly welcome, it also highlights the risks associated with URL dependencies,” Endor Labs mentioned. “When packages rely on code hosted outside the npm registry, authors retain full control over the payload without publishing a new package version. By modifying a single file on the server – or simply shutting it down – they can silently change or disable the behavior of every dependent package at once.”
