Socket identified 72 malicious Open VSX extensions linked to GlassWorm on March 13, 2026. The supply-chain malware no longer embeds its loader directly. Operators upload clean extensions first, then add a hidden dependency to a separate loader in a later update.
Aikido Security tied the same threat actor to 151 GitHub repositories. The repos were injected with invisible Unicode payloads between March 3 and 9. Two npm packages were weaponized with the same technique.
GlassWorm abuses two VS Code manifest fields for delivery. extensionPack and extensionDependencies instruct the editor to fetch and activate referenced extensions alongside a parent automatically. Neither field requires the referenced package to share a trust relationship with the parent.
The operator uploads a standalone package containing no malicious payload. After developers install and trust it, a new version adds a separate GlassWorm loader as a dependency. The editor pulls it silently through the normal update path. Download counts are inflated to thousands to simulate popularity.
An extension that looked non-transitive and comparatively benign at initial publication can later become a transitive GlassWorm delivery vehicle without any change to its apparent purpose.
— Socket Research Team
Socket confirmed the pattern in otoboss.autoimport-extension. Version 1.5.6 referenced federicanc.dotenv-syntax-highlighting, a confirmed GlassWorm loader, via extensionPack. Version 1.5.7 switched to a different loader. The 72 trojanized packages mimic ESLint, Prettier, Angular, Flutter, Python, Vue, Kubernetes, and WakaTime tooling.
At least one publisher name (daeumer-web) is a direct typosquat of the legitimate ESLint maintainer dbaeumer.
The operation now targets AI coding assistant users specifically. Socket found packages impersonating Claude Code, Codex, and Google Antigravity. Tools like Cursor and Windsurf pull from Open VSX, meaning infected packages reach not just VS Code users but the AI-assisted development environment.
GlassWorm's loader retains core tradecraft from October 2025. It runs Russian locale and timezone checks to skip matching systems. The malware queries the Solana blockchain for C2 addresses embedded in transaction memos. Decryption keys arrive in HTTP response headers, not stored locally. Follow-on payloads execute in memory via eval and vm.Script.
March 2026 variants added RC4 and string-array obfuscation. The Solana wallet rotated from BjVeAjPr...o8SC to 6YGcuyFR...zqDJ. Two new C2 IPs joined the reused 45.32.150.251.
The malicious injections don't arrive in obviously suspicious commits. The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project. This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits.
— Ilyas Makari, security researcher, Aikido Security
Aikido's GitHub findings affect notable repositories. Projects from Wasmer, Reworm, and anomalyco (the organization behind OpenCode and SST) appeared among the 151 infected repos. The injected payload uses Unicode Private Use Area characters that render as zero-width whitespace in every editor. A small decoder extracts the hidden bytes and passes them to eval().
Two npm packages carried the same Unicode loader. @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp appeared during the March window.
Koi Security first flagged GlassWorm on October 18, 2025. CTO Idan Dardikman spotted a compromised extension called CodeJoy on Open VSX. That wave infected seven packages with 35,800 combined installs.
The malware is invisible. Not obfuscated. Not hidden in a minified file. Actually invisible to the human eye.
— Idan Dardikman, CTO and co-founder, Koi Security
Koi's November 2025 investigation exposed the attacker's server. A partial victim list spanned the US, South America, Europe, and Asia, including a Middle Eastern government entity. Keylogger artifacts from the operator's own machine confirmed a Russian-speaking threat actor using the open-source RedExt C2 framework.
The Unicode concealment technique dates to November 2021. University of Cambridge researchers described the vector in CVE-2021-42574, dubbed "Trojan Source." GlassWorm is the most extensive known weaponization of that proof of concept.
Open VSX removed most of the trojanized extensions as of March 13. Socket noted that twilkbilk.color-highlight-css and crotoapp.vscode-xml-extension remained live at publication time. The former displayed 3,500 inflated downloads. Takedowns were ongoing but incomplete.
GlassWorm's shift from direct embedding to transitive dependency abuse, paired with LLM-generated commit camouflage across 151 repositories, is the first documented supply-chain operation where the attacker uses AI to scale both delivery and deception.
— Artem Safonov, Threat Analyst at AnonHaven
Developers should audit version histories of installed Open VSX extensions for newly added extensionPack or extensionDependencies fields. Any package from Socket's IOC list should be removed immediately. All credentials on affected machines (NPM tokens, GitHub tokens, CI/CD secrets) should be rotated. GitHub maintainers who accepted pull requests between March 3 and 9 should scan for non-ASCII content in JavaScript files using Snyk's anti-trojan-source tool.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
