Subtle tremors across everyday coding sessions concealed a methodical shift in extension supply chains that let a single install seed multi‑stage malware, siphon credentials, and quietly reuse compromised accounts to publish look‑alikes before defenders could connect the dots. The campaign, attributed to GlassWorm, reframed how extensions gain trust and how payloads move, pivoting from obvious malicious bundles to sleepers that activate later, chain dependencies, and fetch logic from off‑platform hosts. What followed was a race between rapid seeding and rapid takedowns, with the developer ecosystem learning hard lessons about metadata, manifests, and marketplace governance.
Chronology
2019–2023: The Groundwork
Explosive growth of VS Code and Open VSX normalized quick, low‑friction installs, as auto‑updates and permissive outbound calls became routine. Convenience trumped caution: developers clicked through, and look‑alike naming—mirroring patterns seen in npm—blurred brand boundaries. Security reviews focused on code inside packages, leaving metadata, dependency graphs, and runtime fetches thinly examined. That gap would later become the campaign’s runway.
Early 2024: Blind Spots Become Strategic
Defenders leaned on code‑only reviews and signatures, while adversaries learned to externalize critical logic. Extensions began deferring behavior to dependencies or remote hosts, shifting the most sensitive steps outside what scanners typically parsed. The install or first activation became the moment of truth, yet detection tools rarely watched network calls or chained resolvers in that window.
October 2025: GlassWorm’s First Wave
GlassWorm seeded nearly 100 malicious extensions and about 20 dormant sleepers, impersonating trusted projects by copying names, icons, and READMEs. The goal was reach, not noise: probe developer workflows, harvest credentials, and test how quickly marketplaces noticed. By studying response times, the actor tuned for survivability and measured how far tainted packages could spread before triage.
Q1 2026: Tradecraft Matures
The campaign pivoted to metadata‑driven activation. Using extensionPack and extensionDependencies, benign‑seeming installs silently pulled more packages later. Payloads moved off‑platform to GitHub and malicious dependencies, including .vsix installers, native binaries, and runtime‑decoded, obfuscated JavaScript. Logic fractured across hosts, foiling single‑point analysis and muddling attribution.
April 2026: The Latest Surge
Seventy‑three new sleepers appeared on Open VSX; six activated to deliver malware. Targets included developer credentials across Open VSX, GitHub, npm, and cryptocurrency wallets. Confirmed impersonations hit Monochromator theme, AutoAntigravity, IronPLC, VS Code Pets, HTML‑validate, and Version Lens. Open VSX removed known‑malicious and suspected sleepers shortly after disclosure, limiting immediate spread.
Post-Disclosure 2026: Rapid Takedowns, Lingering Risk
Marketplace enforcement accelerated, yet residual risk persisted because compromised accounts could self‑propagate by publishing fresh tainted extensions. Off‑platform payloads and chained dependencies complicated cleanup, ensuring that simple removal seldom equaled full remediation or confident attribution.
Conclusion
This sequence underscored how metadata, manifests, and remote payloads reshaped extension risk, and it favored behavior‑aware defenses. Next steps should have prioritized manifest‑diff auditing (especially extensionPack/extensionDependencies), sandboxed activation before production rollout, and strict egress controls during install and update. Organizations also should have mirrored vetted dependencies with provenance checks, enforced verified‑publisher allowlists, and traced end‑to‑end install/update chains to detect unexpected fetches. For deeper study, teams could have examined extension lifecycle telemetry, marketplace policy variance between VS Code and Open VSX, and techniques for safe quarantine of sleepers to validate behavior without tipping attackers.
