GlassWorm Malware Expands Through 73 New Sleeper Extensions

GlassWorm Malware Expands Through 73 New Sleeper Extensions

Posted on By CWS

The GlassWorm malware campaign has intensified, now involving 73 newly identified sleeper extensions within the Open VSX marketplace. This development marks a significant escalation in how cybercriminals are distributing malware to developers.

The Rise of GlassWorm’s New Tactics

First detected in April 2026, this latest cluster of sleeper extensions represents a shift in GlassWorm’s approach, following an earlier wave identified in March. Back then, researchers had uncovered 72 malicious extensions related to the operation.

Initially, earlier versions exploited extension dependencies to silently install harmful loaders. However, April’s findings reveal that attackers have refined their techniques to avoid detection by security systems.

Understanding the Sleeper Extension Strategy

Sleeper extensions appear benign initially, allowing them to gain user trust and downloads before being activated as malicious. Attackers leverage new GitHub accounts to replicate popular tools, thus widening their reach.

An example includes a counterfeit Turkish Language Pack for Visual Studio Code, closely resembling the legitimate version but published under a different name.

These cloned tools are installed by developers who are then vulnerable to malware once the attackers release a subsequent update. So far, six of the 73 extensions have been activated to distribute malware.

Advanced Delivery Techniques

The recent wave of attacks employs extensions as mere loaders to retrieve external payloads, making them less detectable. This tactic utilizes two main methods:

  • Native Binaries: Hidden .node files within the extension are executed by a JavaScript file to download harmful .vsix files for IDEs like VS Code.
  • Obfuscated JavaScript: The malicious code is heavily concealed and self-decoding, retrieving payloads from GitHub and installing them via command-line.

Both methods are designed to evade security scans and maintain a stealthy presence.

Indicators and Precautions

Security experts recommend vigilance for certain indicators, such as specific SHA256 hashes and GitHub URLs linked to malicious activities. Known malicious extensions, including outsidestormcommand and monochromator-theme, should be monitored.

Socket Research Team advises developers to carefully verify publisher credentials and examine download statistics before adding extensions from Open VSX to their tools. Staying informed about such cybersecurity threats is crucial to maintaining secure development environments.

For ongoing updates in cybersecurity, follow us on Google News, LinkedIn, and X. Reach out for story features or more information.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Cybercriminals Exploit Digital Channels to Hijack Cargo Cybercriminals Exploit Digital Channels to Hijack Cargo Cyber Security News
Cybersecurity News Weekly Newsletter – Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25 Cybersecurity News Weekly Newsletter – Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25 Cyber Security News
New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis Cyber Security News
New Quantum Route Redirect Tool Lets Attackers Launch One-Click Phishing Attacks on Microsoft 365 Users New Quantum Route Redirect Tool Lets Attackers Launch One-Click Phishing Attacks on Microsoft 365 Users Cyber Security News
LangGraph Vulnerability Allows Malicious Python Code Execution During Deserialization LangGraph Vulnerability Allows Malicious Python Code Execution During Deserialization Cyber Security News
Cisco Webex Meetings Vulnerability Let Attackers Manipulate HTTP Responses Cisco Webex Meetings Vulnerability Let Attackers Manipulate HTTP Responses Cyber Security News