The GlassWorm malware campaign has evolved to deploy 'sleeper' extensions on Open VSX that are subsequently weaponized to download malicious VSIX payloads hosted on GitHub. The malware employs sophisticated evasion techniques, including Russian geofencing, source-to-compiled code mismatches, and utilizing the Solana blockchain as a dead-drop resolver for command and control, ultimately leading to arbitrary Node.js code execution across multiple developer IDEs.