A report by Socket flagged a new GlassWorm escalation in the Open VSX registry on Friday, with 72 malicious extensions discovered since January 31, 2026.
KEY FACTS
- Incident Abuse of VS Code extension relationships to deliver GlassWorm payloads
- Scope At least 72 malicious Open VSX extensions discovered since January 31, 2026
- Targets Developer tools including linters, formatters, code runners and AI assistant plugins
- Technique Transitive installs, invisible Unicode obfuscation and Solana based resolvers
Attackers abuse extensionPack and extensionDependencies entries so a benign appearing extension can begin pulling a separate GlassWorm linked package after trust is established. The VS Code editor installs every extension listed in those fields, allowing one extension to act as an installer for another.
The malicious extensions retain checks to avoid systems with a Russian locale, use Solana transactions as a dead drop resolver to fetch command and control endpoints, and rotate Solana wallets to evade detection. Aikido advisory: invisible Unicode characters injected into repositories decode to a loader that fetches a second stage to steal tokens, credentials and secrets.
Open VSX removed the flagged listings. The discovered extensions mimic widely used developer utilities and AI assistant plugins. Related injections and malicious npm packages using invisible Unicode techniques were previously observed across repositories and packages in 2025 and 2026.
WHY IT MATTERS
Transitive extension delivery and remote dependencies increase supply chain risk for developers because a previously trusted extension can later install malicious code without obvious changes to its purpose. Organizations should review extension usage and limit automatic installs to reduce exposure.