Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware
Socket researchers have identified 73 cloned VS Code extensions on the Open VSX repository linked to the GlassWorm v2 campaign, with six confirmed malicious and the rest acting as sleeper packages.
Cybersecurity researchers at Socket have uncovered a cluster of 73 fake Visual Studio Code extensions on the Open VSX repository, all tied to an ongoing information-stealing campaign dubbed GlassWorm. The extensions are cloned versions of legitimate packages, with six confirmed as malicious and the remaining 67 acting as sleeper packages designed to build user trust before delivering malware through a subsequent update. The campaign, tracked as GlassWorm v2, has produced over 320 artifacts since December 21, 2025, according to Socket.
The six confirmed malicious extensions include outsidestormcommand.monochromator-theme, keyacrosslaud.auto-loop-for-antigravity, krundoven.ironplc-fast-hub, boulderzitunnel.vscode-buddies, cubedivervolt.html-code-validate, and winnerdomain17.version-lens-tool. These packages typosquat legitimate extensions—for example, Emotionkyoseparate.turkish-language-pack mimics CEINTL.vscode-language-pack-tr—and use identical icons and descriptions to deceive developers. This "visual trust" tactic serves as an effective social engineering mechanism to boost install counts before the extensions are poisoned to serve malware to downstream users.
The threat actors behind GlassWorm are actively evolving their methods, pivoting to sleeper packages and transitive dependencies to evade detection. They employ Zig-based droppers to deploy a secondary VSIX extension hosted on GitHub, which can infect all integrated development environments (IDEs) on a developer's machine, including VS Code, Cursor, Windsurf, and VSCodium. The extensions act as an innocuous loader for the actual payload, which is retrieved from GitHub and installed into every IDE identified on the system using the "--install-extension" command.
Regardless of the delivery method, the end goal remains the same: execute malware that avoids Russian systems, steal sensitive data, install a remote access trojan (RAT), and stealthily deploy a rogue Chromium-based extension to siphon credentials, bookmarks, and other information. Socket noted that this approach achieves the same outcome as the binary-based variant but keeps the delivery logic in obfuscated JavaScript, making detection more difficult.
The discovery highlights the growing threat of supply chain attacks targeting developer tools. As IDEs become increasingly integrated with cloud services and package repositories, the attack surface expands. Developers are urged to verify the authenticity of extensions before installation, check publisher details, and monitor for unexpected updates. Organizations should implement policies to restrict extension sources and use security tools that can detect typosquatting and malicious behavior in IDE extensions.