What happened
Security researchers uncovered a GlassWorm malware campaign leveraging 72 malicious extensions on the Open VSX registry to expand its reach through developer environments. Instead of embedding malware directly in the initial extension, attackers used staged payload delivery techniques that download malicious code after installation, helping evade detection during marketplace reviews. The extensions are designed to infect systems used by developers and can harvest sensitive data such as credentials, tokens, and other development secrets. The campaign targets the Open VSX marketplace, an open-source alternative used by VS Code–compatible editors, allowing attackers to distribute malware through a trusted software supply chain. Researchers warn that compromised extensions in developer environments can expose enterprise systems if stolen credentials or secrets are reused in production infrastructure.Â
Who is affected
Developers and organizations using editors that rely on the Open VSX extension registry are affected, particularly environments where compromised extensions could expose development credentials or access to internal repositories and infrastructure.Â
Why CISOs should care
Supply-chain attacks targeting developer tools can lead to credential theft and unauthorized access to enterprise code repositories, cloud services, and production systems if compromised developer environments are used inside corporate networks.Â
3 practical actions
- Audit installed Open VSX extensions. Identify and remove suspicious or recently added extensions across developer environments.Â
- Rotate exposed credentials. Reset API keys, repository tokens, and cloud credentials that may have been stored in affected systems.Â
- Restrict extension installation policies. Implement allow-lists or approval processes for development environment plugins.Â
For more coverage of threats involving the extension ecosystem, explore our reporting under the Open VSX tag.