GlassWorm Malware Expands Through 73 New Sleeper Extensions

GlassWorm Malware Expands Through 73 New Sleeper Extensions

Posted on By CWS

The GlassWorm malware campaign has intensified, now involving 73 newly identified sleeper extensions within the Open VSX marketplace. This development marks a significant escalation in how cybercriminals are distributing malware to developers.

The Rise of GlassWorm’s New Tactics

First detected in April 2026, this latest cluster of sleeper extensions represents a shift in GlassWorm’s approach, following an earlier wave identified in March. Back then, researchers had uncovered 72 malicious extensions related to the operation.

Initially, earlier versions exploited extension dependencies to silently install harmful loaders. However, April’s findings reveal that attackers have refined their techniques to avoid detection by security systems.

Understanding the Sleeper Extension Strategy

Sleeper extensions appear benign initially, allowing them to gain user trust and downloads before being activated as malicious. Attackers leverage new GitHub accounts to replicate popular tools, thus widening their reach.

An example includes a counterfeit Turkish Language Pack for Visual Studio Code, closely resembling the legitimate version but published under a different name.

These cloned tools are installed by developers who are then vulnerable to malware once the attackers release a subsequent update. So far, six of the 73 extensions have been activated to distribute malware.

Advanced Delivery Techniques

The recent wave of attacks employs extensions as mere loaders to retrieve external payloads, making them less detectable. This tactic utilizes two main methods:

  • Native Binaries: Hidden .node files within the extension are executed by a JavaScript file to download harmful .vsix files for IDEs like VS Code.
  • Obfuscated JavaScript: The malicious code is heavily concealed and self-decoding, retrieving payloads from GitHub and installing them via command-line.

Both methods are designed to evade security scans and maintain a stealthy presence.

Indicators and Precautions

Security experts recommend vigilance for certain indicators, such as specific SHA256 hashes and GitHub URLs linked to malicious activities. Known malicious extensions, including outsidestormcommand and monochromator-theme, should be monitored.

Socket Research Team advises developers to carefully verify publisher credentials and examine download statistics before adding extensions from Open VSX to their tools. Staying informed about such cybersecurity threats is crucial to maintaining secure development environments.

For ongoing updates in cybersecurity, follow us on Google News, LinkedIn, and X. Reach out for story features or more information.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Angular HTTP Client Vulnerability Exposes XSRF Token to an Attacker-Controlled Domain Angular HTTP Client Vulnerability Exposes XSRF Token to an Attacker-Controlled Domain Cyber Security News
Google Patches Android 0-Day Vulnerabilities Exploited in the Wild Google Patches Android 0-Day Vulnerabilities Exploited in the Wild Cyber Security News
Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App Cyber Security News
SonicWall VPNs Exploited for 0-Day Vulnerability to Bypass MFA and Deploy Ransomware SonicWall VPNs Exploited for 0-Day Vulnerability to Bypass MFA and Deploy Ransomware Cyber Security News
Malicious Bing Ads deploy Weaponized PuTTY to Exploit Kerberos and Attack Active Directory services Malicious Bing Ads deploy Weaponized PuTTY to Exploit Kerberos and Attack Active Directory services Cyber Security News
VIP Keylogger Campaign Threatens Cybersecurity VIP Keylogger Campaign Threatens Cybersecurity Cyber Security News