The GlassWorm threat actor has evolved its supply chain attack methodology by abusing VS Code extension manifest fields to transitively deliver malicious payloads. This technique allows initially benign extensions to pull in malicious dependencies during later updates, executing staged JavaScript loaders that target developer workstations for credential and secret theft.