Full Report
A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update. [...]
Analysis Summary
# Tool/Technique: GlassWorm (OpenVSX Sleeper Extensions)
## Overview
GlassWorm is a persistent supply chain attack campaign targeting developers and the software development lifecycle. The latest iteration involves the distribution of "sleeper" extensions on the OpenVSX Registry—a vendor-neutral alternative to the VS Code Marketplace. These extensions are initially submitted as benign clones of popular tools to evade detection and establish a user base. Once established, they are updated with malicious loaders that fetch secondary payloads to steal sensitive developer assets.
## Technical Details
- **Type:** Malware / Supply Chain Attack
- **Platform:** Windows, macOS, Linux (via VS Code/OpenVSX environments)
- **Capabilities:** Credential theft, cryptocurrency wallet drainage, SSH key exfiltration, and secondary payload delivery via remote VSIX installation.
- **First Seen:** October 2025 (Initial campaign observed; current wave detected April 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File (Installing extensions)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.013 - Bilayer Executable (Sleeper functionality/Delayed malicious update)
- **TA0009 - Collection**
- T1555 - Credentials from Password Stores
- T1649 - Steal Web Session Cookie
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Sleeper Mechanism:** Extensions are uploaded as functional, benign clones of legitimate extensions to build trust and pass automated marketplace scans.
- **Thin Loaders:** Modern variants function as staged loaders rather than monolithic malware. They use CLI commands to fetch and install secondary `.vsix` packages or load platform-specific `.node` modules.
- **Obfuscated Logic:** Uses heavily obfuscated JavaScript designed to decode at runtime to reveal download URLs and installation routines.
### Advanced Features
- **Redundancy:** Employs encrypted or fallback URLs for payload retrieval to ensure C2 resilience.
- **Cross-Platform Compatibility:** Utilizes compiled `.node` modules tailored for different operating systems (Windows/macOS/Linux) to ensure execution across diverse developer environments.
- **Social Engineering:** Mimics the branding, icons, and descriptions of popular extensions to deceive developers during the installation phase.
## Indicators of Compromise
- **File Names:** Various `.node` compiled modules; secondary `.vsix` files retrieved at runtime.
- **Network Indicators:**
- `github[.]com` (Used for hosting secondary VSIX packages)
- Various defanged C2 and payload delivery domains (Socket reports 73 specific extension IDs).
- **Behavioral Indicators:**
- VS Code/OpenVSX processes spawning CLI commands to install extensions (e.g., `code --install-extension`).
- Unexpected network connections from the IDE to GitHub repositories not associated with the user’s projects.
- Presence of developer tool clones with slight variations in "Publisher Name" or "Unique Identifier."
## Associated Threat Actors
- **GlassWorm:** A known campaign/threat group specializing in developer-centric supply chain attacks.
## Detection Methods
- **Signature-based detection:** Scanning for specific hashes of malicious `.node` files or known-malicious VSIX identifiers listed by security researchers (Socket).
- **Behavioral detection:**
- Monitoring for unauthorized modification of `~/.ssh/` or `~/.aws/credentials`.
- Alerting on IDE extensions that attempt to execute shell commands for extension management.
- **Inventory Audit:** Cross-referencing installed OpenVSX extensions against the list of 73 flagged "sleeper" plugins.
## Mitigation Strategies
- **Extension Verification:** Always verify the publisher's identity and the extension's unique identifier before installation; do not rely on icons or names alone.
- **Least Privilege:** Run development environments in isolated containers (e.g., DevContainers) to prevent malware from accessing host SSH keys and system-wide credentials.
- **Secret Rotation:** If a GlassWorm extension is discovered, immediately rotate all SSH keys, API tokens (AWS, GitHub, Slack), and cryptocurrency wallet seeds.
- **Environment Hardening:** Utilize software composition analysis (SCA) tools that specifically scan for malicious IDE extensions.
## Related Tools/Techniques
- **Typosquatting:** Similar technique used to trick users into downloading malicious packages.
- **Magecart for Developers:** Similar focus on credential and token theft during the development phase.
- **VSCode Marketplace Attacks:** GlassWorm frequently targets both Microsoft's official marketplace and OpenVSX.