GlassWorm hid 73 malicious OpenVSX extensions to steal wallets

Security researchers identified 73 malicious extensions uploaded to the OpenVSX registry by malware tracked as GlassWorm. Six of the extensions have been updated to deliver active payloads; the remaining 67 are dormant but capable of receiving harmful updates, according to Socket researchers. GlassWorm first appeared in October 2025 and has targeted multiple developer ecosystems.

Attackers published cloned copies of legitimate extensions without obvious malware to build an install base, then pushed malicious updates after a delay. A surge of activity in mid-March 2026 affected hundreds of repositories and dozens of extensions across npm, GitHub repositories, the Visual Studio Code Marketplace and OpenVSX.

Socket researchers identified three delivery techniques in the OpenVSX uploads. One method installs a second VSIX package hosted on GitHub while the extension runs, invoking command-line installer routines. A second uses platform-specific compiled modules, such as .node files, that include core logic and routines to fetch additional payloads. A third embeds heavily obfuscated JavaScript that decodes at runtime and contacts encrypted or fallback URLs to download and install further components. Many cloned extensions mimic icons, names and descriptions; publisher names and unique identifiers are the only reliable differentiators.

The code is designed to harvest access tokens, crypto wallet data, SSH keys and information about developers’ environments. Socket researchers recommend that developers who installed any of the flagged OpenVSX extensions rotate all secrets and thoroughly clean their development environments. Investigators are monitoring whether the dormant copies will receive updates that enable theft.

The OpenVSX uploads are part of a wider pattern of supply-chain attacks on developer tooling. On April 22, 2026, a malicious version of a password manager’s command-line package was available on the npm registry for 93 minutes under @bitwarden/[email protected]. JFrog reported the compromised package exfiltrated GitHub tokens, npm tokens, SSH keys, AWS and Azure credentials, and GitHub Actions secrets. JFrog’s analysis found the package modified installation hooks and its binary entrypoint to load the Bun runtime and execute an obfuscated payload during installation and runtime. Security firms linked that incident to a broader campaign; the affected vendor confirmed the connection.

Researchers note attackers exploit the time between publication and registry content checks. Sonatype reported roughly 454,600 new malicious packages across registries in 2025. Developers are advised to rotate credentials, audit recent installs and monitor for unexpected extension updates. Researchers and maintainers are tracking whether OpenVSX will add additional controls for extension updates and whether any of the remaining extensions activate.