2026-05-137 minhigh

73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations

The GlassWorm threat campaign has escalated its supply chain attacks on the Open VSX marketplace by publishing 73 impersonation 'sleeper' extensions. These extensions initially contain no malicious code to bypass security scans, but are later updated to act as thin loaders that retrieve and execute secondary .vsix payloads from GitHub releases using bundled native binaries or obfuscated JavaScript.

Sens:■ ImmediateConf:highAnalyzed:2026-04-28reports

Authors: Socket

ActorsGlassWorm

GlassWorm Supply Chain VS Code Sleeper Extensions Open VSX

Source:Socket

IOCs · 5

sha256
1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168Native installer binary (.node) bundled in malicious extensions to fetch payloads.
sha256
97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfdDownloaded malicious VSIX payload.
url
github[.]com/ColossusQuailPray/oiegjqdeGitHub repository used for hosting malicious VSIX payloads.
url
github[.]com/francesca898/dqwffqwGitHub repository used for hosting malicious VSIX payloads.
url
github[.]com/SquadMagistrate10/wnxtgkihGitHub repository used for hosting malicious VSIX payloads.

Detection / Hunter

What Happened

A cyberattack campaign known as GlassWorm has uploaded 73 fake software extensions to the Open VSX marketplace, which is used by developers for tools like Visual Studio Code. These fake extensions are designed to look exactly like popular, legitimate ones to trick developers into downloading them. Once installed, the extensions wait quietly before updating themselves to download and install hidden malware onto the developer's computer. This is highly dangerous because it targets the software developers use to build other software, potentially compromising many systems. Developers should carefully verify the publisher and download counts of any extensions they install.

Key Takeaways

The GlassWorm campaign has deployed 73 impersonation 'sleeper' extensions on the Open VSX marketplace.
Extensions initially appear benign to bypass security checks, later activating via updates to deliver malware.
Delivery mechanisms have shifted to using the extension as a thin loader, fetching payloads via bundled native .node binaries or obfuscated JavaScript.
Payloads are typically .vsix files hosted on GitHub releases, installed using the '--install-extension' command across multiple IDEs.
The campaign relies heavily on social engineering, cloning legitimate extension branding and descriptions to trick developers.

Affected Systems

Open VSX marketplace
Visual Studio Code (VS Code)
Cursor
Windsurf
VSCodium
Developer workstations

Attack Chain

The attacker publishes cloned, benign-looking extensions to the Open VSX marketplace using newly created GitHub accounts. Developers install these extensions, deceived by the copied branding and descriptions. In a subsequent update, the extension is modified to act as a loader, utilizing either a bundled native .node binary or obfuscated JavaScript. Upon activation, the loader fetches a malicious .vsix payload from a GitHub release and installs it into the host IDE (VS Code, Cursor, etc.) using the '--install-extension' command line argument.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but lists actionable IOCs including file hashes, malicious GitHub repository URLs, and specific malicious extension identifiers.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can monitor child processes spawned by IDEs executing '--install-extension', but might miss the initial JavaScript execution within the Node.js environment of the IDE. Network Visibility: Medium — Network traffic to GitHub releases is common and encrypted, making it hard to distinguish malicious payload downloads from legitimate developer activity without TLS inspection and specific URL matching. Detection Difficulty: Moderate — The use of legitimate platforms (GitHub, Open VSX) and native IDE commands blends in with normal developer behavior, requiring baseline comparisons to detect anomalies.

Required Log Sources

Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
Network Connection Logs
File Creation Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for IDE processes (e.g., code.exe, cursor.exe) spawning child processes with the '--install-extension' command line argument, especially if the extension path points to a recently downloaded file in a user temp directory.	Process Creation Logs	Execution	High
Search for network connections from IDE processes to unusual or newly created GitHub repositories, specifically targeting the download of .vsix files.	Network Connection Logs	Command and Control / Tool Transfer	Medium
Identify the execution or loading of unexpected .node binaries from within IDE extension directories.	File Creation Logs / Image Load Logs	Execution	Medium

Control Gaps

Standard IDE extension security scanning (bypassed by sleeper updates)
Network filtering (GitHub is typically allowlisted)

Key Behavioral Indicators

IDE processes executing --install-extension
Unexpected .node binaries executing within extension directories

False Positive Assessment

Recommendations

Immediate Mitigation

Search for and remove any installed extensions matching the provided IOC list (e.g., 'Emotionkyoseparate.turkish-language-pack').
Block access to the identified malicious GitHub repository URLs.

Infrastructure Hardening

Implement strict allowlisting for IDE extensions, preventing developers from installing unapproved extensions from the Open VSX marketplace.

User Protection

Deploy EDR rules to monitor and alert on IDEs spawning suspicious child processes or executing unexpected extension installations.

Security Awareness

Train developers to verify extension publishers, download counts, and repository links before installing extensions, even if the branding looks familiar.

MITRE ATT&CK Mapping

T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1036.005 - Masquerading: Match Legitimate Name or Location
T1105 - Ingress Tool Transfer
T1059.007 - Command and Scripting Interpreter: JavaScript
T1027 - Obfuscated Files or Information

Additional IOCs

File Hashes:
- 4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd (sha256) - Native installer binary (.node) bundled in malicious extensions.
Command Lines:
- Purpose: Installs the downloaded malicious VSIX payload into the target IDE. | Tools: IDE CLI (code, cursor, windsurf, vscodium) | Stage: Execution/Installation | --install-extension
Other:
- outsidestormcommand.monochromator-theme - Confirmed malicious extension identifier.
- keyacrosslaud.auto-loop-for-antigravity - Confirmed malicious extension identifier.
- krundoven.ironplc-fast-hub - Confirmed malicious extension identifier.
- boulderzitunnel.vscode-buddies - Confirmed malicious extension identifier.
- cubedivervolt.html-code-validate - Confirmed malicious extension identifier.
- winnerdomain17.version-lens-tool - Confirmed malicious extension identifier.
- peldravix.rpgiv2free-live-tool - Sleeper extension identifier.
- forkelbat.supersigil-rich-hub - Sleeper extension identifier.
- fyltroven.gitchat-fast-tool - Sleeper extension identifier.
- syndakove.todo4vcode-quick-suite - Sleeper extension identifier.
- vendrakos.rumdl-pro-kit - Sleeper extension identifier.
- stadiumgripier.vscode-onedark-theme - Sleeper extension identifier.
- wildlightregain.oxc-lint-format - Sleeper extension identifier.
- haelthorn.fractal-fast-studio - Sleeper extension identifier.
- gastholve.shell-pro-kit - Sleeper extension identifier.
- tossbers.browser-open-tool - Sleeper extension identifier.
- pranlokev.topmodel-fast-suite - Sleeper extension identifier.
- weldforick.brightscript-pro-kit - Sleeper extension identifier.
- stelbavik.hledger-fast-tool - Sleeper extension identifier.
- brixmundo.eca-easy-tool - Sleeper extension identifier.
- shinypy.pycode-formatter - Sleeper extension identifier.
- carveltstone.chatbuddy-auto-suite - Sleeper extension identifier.
- thunderprosecutor.autopep8-formatter - Sleeper extension identifier.
- spikearshock.csv-rainbow - Sleeper extension identifier.
- countrepresent49.code-image-preview - Sleeper extension identifier.
- lairinspectortrek70.todo-highlighter - Sleeper extension identifier.
- superneentrance.peacock-colors - Sleeper extension identifier.
- epichipporedeem.prettier-eslint-formatter - Sleeper extension identifier.
- archchainturn.twinny-ai-assist - Sleeper extension identifier.
- spacesalamanderhook.italian-language-pack - Sleeper extension identifier.
- closedtierenchant.vscode-awesome-icons - Sleeper extension identifier.
- sremuven.beautify-super-lens - Sleeper extension identifier.
- goltikov.auto-rich-forge - Sleeper extension identifier.
- karnikov.better-rich-studio - Sleeper extension identifier.
- trenarin.autodocstring-auto-studio - Sleeper extension identifier.
- meldarin.biome-live-tool - Sleeper extension identifier.
- gronarin.auto-super-kit - Sleeper extension identifier.
- keltarin.android-deep-hub - Sleeper extension identifier.
- tralaven.c-easy-tool - Sleeper extension identifier.
- meltovik.bookmark-rich-tool - Sleeper extension identifier.
- seldovik.cmake-smart-pilot - Sleeper extension identifier.
- veldekov.csv-pro-suite - Sleeper extension identifier.
- brenaven.cursor-rich-helper - Sleeper extension identifier.
- karnenko.cursorless-pro-pilot - Sleeper extension identifier.
- faldenko.explorer-auto-hub - Sleeper extension identifier.
- vornovin.ionic-easy-kit - Sleeper extension identifier.
- tormekov.htmlmustache-fast-craft - Sleeper extension identifier.
- dalsoven.intellij-live-pilot - Sleeper extension identifier.
- krosarin.npm-fast-studio - Sleeper extension identifier.
- meltuven.graphql-pro-tool - Sleeper extension identifier.
- veltarik.duplicate-fast-helper - Sleeper extension identifier.
- tralarin.firefox-rich-lens - Sleeper extension identifier.
- brixovik.es7-quick-hub - Sleeper extension identifier.
- krosovik.laravel-quick-pilot - Sleeper extension identifier.
- grisaven.markdown-live-kit - Sleeper extension identifier.
- dranaven.flask-live-craft - Sleeper extension identifier.
- drovenko.data-live-suite - Sleeper extension identifier.
- krosaven.dot-live-forge - Sleeper extension identifier.
- sremekov.javascriptsnippets-rich-craft - Sleeper extension identifier.
- breluven.html-smart-suite - Sleeper extension identifier.
- trikarin.database-super-tool - Sleeper extension identifier.
- sremovik.dendron-deep-hub - Sleeper extension identifier.
- dalsovik.dbclient-quick-suite - Sleeper extension identifier.
- frelovin.gitpod-deep-helper - Sleeper extension identifier.
- mrekelid.manpages-fast-kit - Sleeper extension identifier.
- kuldaran.search-smart-forge - Sleeper extension identifier.
- prednovik.php-super-pilot - Sleeper extension identifier.
- tagovich.zener-pro-craft - Sleeper extension identifier.
- grozdarov.jinjahtml-easy-studio - Sleeper extension identifier.
- shiverov.open-smart-suite - Sleeper extension identifier.
- draconzal.phpstan-easy-hub - Sleeper extension identifier.
- marabenov.graphql-super-craft - Sleeper extension identifier.