Translated from the original Japanese article
Tech 8 min read

GlassWorm surges on Open VSX, and the campaign has evolved into transitive infection through extension dependencies

Security Supply chain VS Code Malware npm
IkesanContents

Open VSX has seen a major expansion of the GlassWorm malware campaign. According to Socket’s research, 72 malicious extensions were newly discovered after January 31, 2026, and the operation has also spread to GitHub repositories through invisible Unicode characters and to npm packages through infection. What started as a malware drop has become a broader supply-chain campaign.

Transitive delivery through extensionDependencies

The most notable change in this wave is the technique itself. Earlier GlassWorm samples embedded a loader directly in each extension. In the second wave, the attackers began abusing the VS Code extension manifest fields extensionPack and extensionDependencies.

The two fields have very different purposes.

FieldIntended useBehavior at install time
extensionPackShip related extensions as a bundleInstalls every extension in the pack at once
extensionDependenciesDeclare runtime dependencies required by an extensionAutomatically installs extensions listed as dependencies

Attackers use this by registering a malicious extension ID in the extensionDependencies of a front-end extension that looks harmless. The moment a developer installs the front-end extension, the editor walks the dependency chain and installs the malicious payload automatically. Only the first item is shown in the install prompt, so the user cannot easily see what the dependency chain will pull in.

Socket described the move as replacing direct loader insertion with a seemingly standalone extension that becomes a vehicle for transitive delivery.

Attack flow

graph TD
    A[Attacker publishes a seemingly harmless front-end extension] --> B[Malicious extension ID is added to<br/>extensionDependencies]
    B --> C[Developer installs the front-end extension]
    C --> D[Editor automatically resolves the dependency chain]
    D --> E[Malicious extension is installed]
    E --> F[GlassWorm loader runs]
    F --> G[Solana blockchain is queried for<br/>the C2 server address]
    G --> H[Tokens, credentials, and secrets are stolen]

Masquerading targets

The 72 malicious extensions imitate legitimate developer tools. The fake categories include:

  • Angular linters and formatters
  • Code runners and debuggers
  • AI-assisted coding tools that imitate Claude Code and Google Antigravity
  • XML editors and PDF tools
  • SQL database utilities

Examples of malicious package names include gvotcha.claude-code-extension (posing as Claude Code), mswincx.antigravity-cockpit (posing as Google Antigravity), and angular-studio.ng-angular-extension.

Lateral spread to GitHub and npm

The campaign does not stop at Open VSX. Aikido researchers found invisible Unicode characters embedded in 151 GitHub repositories between March 3 and March 9, 2026.

The technique here is zero-width Unicode steganography. These characters are hidden in most editors and diff views, so visual code review usually misses them.

CharacterUnicodeOfficial nameIntended use
ZWSPU+200BZero-Width SpaceMarks optional line break points
ZWNJU+200CZero-Width Non-JoinerPrevents ligatures between adjacent characters
ZWJU+200DZero-Width JoinerJoins characters in emoji sequences
WJU+2060Word JoinerPrevents line breaks
LRMU+200ELeft-to-Right MarkForces left-to-right direction
RLMU+200FRight-to-Left MarkForces right-to-left direction

The encoded payload hidden in the source code is decoded at runtime into a loader that fetches token- and secret-stealing scripts from a remote location.

Attackers also use LLMs to generate camouflage commits. These commits look like real documentation fixes, version bumps, or formatting refactors, which makes review harder.

On the npm side, two packages, @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp, were confirmed to be infected with the same technique.

PhantomRaven and Remote Dynamic Dependencies

Endor Labs reported a related campaign with 88 malicious npm packages uploaded through 50 disposable accounts between November 2025 and February 2026, and named it PhantomRaven.

PhantomRaven’s Remote Dynamic Dependencies (RDD) technique is especially nasty. Because the code can be changed without publishing a new version, scanners and inspection tools are effectively bypassed. Version pinning and lockfiles only help when versions change; they do not stop code inside an existing version from being swapped out dynamically.

Persistent GlassWorm traits

GlassWorm has carried the following traits from the beginning, and they remain effective in the second wave:

  • A locale check that intentionally avoids infecting systems in Russia, which suggests where the operators are based
  • Use of Solana blockchain transactions as a dead-drop resolver for the C2 server address, making the address hard to remove because the blockchain is immutable
  • Wallet rotation to evade tracking and detection
  • Stronger obfuscation

Response

Open VSX has removed the identified malicious extensions from the registry. But the attack abuses the structural transitive-install behavior of extensionPack and extensionDependencies, so removing specific packages after the fact is not a complete fix.

The lesson for development environments is simple: extension installation is not just “install one item.” It is often the installation of an entire dependency chain. Review dependencies before installing, and manage extension allowlists at the organization level.

How VS Code extension supply-chain attacks evolved

GlassWorm’s abuse of extensionDependencies did not appear out of nowhere. Attacks against the VS Code extension marketplace have steadily become more sophisticated since 2023.

2023: The typo-squatting era

The first wave was straightforward. Attackers published fake packages with names that differed by a single character from popular extensions and waited for installation mistakes. One well-known case involved “Darcula,” a fake of the popular “Dracula Official” theme, which infected more than 100 organizations and exfiltrated code to an external server.

At the time, researchers found 1,283 malicious extensions across the marketplace, with a cumulative 229 million installs. The technique was direct: embed malware in the extension itself. That also made detection relatively easy.

2024: Dependency abuse begins

In 2024, attackers moved toward more organized operations with multiple accounts, such as the TigerJack campaign. Around the same time, the npm ecosystem was hit by serious dependency confusion attacks, and one study found that 49% of companies were vulnerable.

One especially notable case abused the fact that AI code-generation tools hallucinate package names that do not exist. Attackers pre-registered the fake names that LLMs tend to invent and waited for developers to run the AI-generated code as-is.

2025: GlassWorm appears and becomes self-propagating

2025 became the turning point for VS Code extension attacks.

October 2025 - GlassWorm was observed for the first time. Seven malicious extensions were found on Open VSX, with a combined 35,800 downloads. It was called the first self-propagating worm for VS Code extensions. It could recursively infect the next extension by reusing stolen credentials.

November to December 2025 - GlassWorm spread through second and third waves. More than 48 extensions disguised as popular tools such as Flutter, React, Tailwind, and Vim were identified. At the same time, ReversingLabs found 19 cases of malware hidden inside extension dependency folders. A fake Prettier extension was also seen delivering OctoRAT, a fully featured RAT, through the Anivia loader in a multi-stage chain.

In that single year, VS Code-related malware detections jumped fourfold year over year, from 27 in 2024 to 105 in the first 10 months of 2025.

npm also saw a parallel large-scale campaign.

  • September 2025 - 18 packages such as Chalk and Debug, which together had 2.6 billion weekly downloads, were compromised after maintainer accounts were taken over in phishing attacks
  • September 2025 - the self-replicating worm Shai-Hulud appeared, and a second wave in November spread to more than 25,000 repositories

2026: Abusing the trust chain

In 2026, GlassWorm evolved into the transitive delivery mechanism reported here, abusing extensionDependencies.

graph LR
    A["2023<br/>Typosquatting"] --> B["2024<br/>Dependency abuse<br/>Hallucinated package names"]
    B --> C["2025<br/>Self-propagating worm<br/>Multi-stage payloads"]
    C --> D["2026<br/>`extensionDependencies`<br/>Transitive delivery"]

    style A fill:#4a9,stroke:#333,color:#fff
    style B fill:#4a9,stroke:#333,color:#fff
    style C fill:#e74,stroke:#333,color:#fff
    style D fill:#c00,stroke:#333,color:#fff

The evolution follows a clear pattern.

PeriodMain techniqueDetection difficultyInfection scale
2023Similar names trick users into installing the wrong packageLowOne-off
2024Register a public package with the same name as an internal dependencyMediumProject-level
2025Automatic propagation after stealing credentials and poisoning the next packageHighEcosystem-wide
2026Repurpose the editor’s dependency resolver itself as the delivery pathVery highEntire dependency chain

At first, the problem was “can a human spot the fake?” Since 2025, the problem has become structural: a legitimate mechanism can itself become the attack path. GlassWorm’s extensionDependencies abuse is the end point of that trend, because the front extension code itself remains clean and static analysis has nothing obvious to flag.

We also covered supply-chain attacks around npm and VS Code in the following articles.