The GlassWorm threat campaign has escalated its supply chain attacks on the Open VSX marketplace by publishing 73 impersonation 'sleeper' extensions. These extensions initially contain no malicious code to bypass security scans, but are later updated to act as thin loaders that retrieve and execute secondary .vsix payloads from GitHub releases using bundled native binaries or obfuscated JavaScript.