The latest GlassWorm wave bundles Zig-compiled native binaries in an Open VSX extension and silently installs a second-stage payload across VS Code, Cursor, Windsurf, VSCodium, and Positron.
GlassWorm has expanded to 72 Open VSX extensions, 151 GitHub repositories, and 88 npm packages, while a new supply-chain technique now abuses extensionDependencies as a delivery channel.
A UAF zero-day in Chrome, critical flaws in four VS Code extensions, and a Microsoft Copilot bug that leaked confidential emails. A review of security risks lurking in developers’ everyday tools.
Testing the new LSP feature in Claude Code v2.0.74 with a PHP setup. phpactor fails on Windows, intelephense installs but isn't recognized — turns out it's already filed as Issue #14803.
