:

GLASSWORM MALWARE RETURNS WITH 73 HIDDEN EXTENSIONS

SECURITY DESK2 MIN READ
MON, APR 27, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

The GlassWorm campaign has resurfaced with 73 malicious "sleeper" extensions in the OpenVSX marketplace. These extensions remain dormant until activated through updates, creating a delayed-attack vector.

Security researchers have identified a renewed GlassWorm malware campaign targeting the OpenVSX ecosystem with 73 infected extensions designed to evade immediate detection. The attack uses a "sleeper" mechanism where extensions appear benign upon installation but become malicious following an update. This delay tactic complicates detection and allows the malware to establish a foothold before activating its payload. OpenVSX is an open-source registry for Visual Studio Code extensions. The platform's decentralized model, while offering community benefits, creates security challenges for vetting submissions. Researchers discovered the malicious extensions had been uploaded to the repository and were available for download. The GlassWorm campaign is not new. Previous iterations have targeted package repositories and developer tools. This latest variant demonstrates persistent efforts to compromise developer environments—high-value targets due to access to source code and deployment credentials. Affected users should audit recently installed extensions and review update histories. OpenVSX maintainers have been notified and have removed the identified malicious extensions from the repository. The incident highlights broader supply-chain security concerns in software development. Attackers increasingly target repositories and package managers as entry points, recognizing that compromised developer tools can affect downstream users and organizations. Developers are advised to review extensions for suspicious behavior, verify extension sources, and consider using only officially maintained or widely-trusted extensions. Organizations should implement code review processes and monitor extension activity within development environments. OpenVSX users can check their installed extensions against published lists of affected packages. Those who installed any of the 73 malicious extensions should remove them immediately and monitor systems for unauthorized activity.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

New York became the first US state to prohibit smart glasses across its entire court system. The ban covers all 1,240 state, county, city, town, and village courts.

1H AGOIndustry Desk

Federal investigators report that the Department of Government Efficiency (DOGE) deleted records that would have shown whether the agency accessed sensitive government systems. A government report claims DOGE did not access those systems.

4H AGOAI Desk

Madison Square Garden kept a detailed database categorizing hundreds of celebrities, including LGBTQIA labels and risk assessments. The list tracked famous attendees and Taylor Swift's wedding guests.

4H AGOIndustry Desk

Interpol and law enforcement agencies have arrested 5,811 suspects and seized $293 million across 97 countries in a coordinated operation targeting social engineering scams and fraud.

4H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.