HackWatch
! High riskMW Malware

GlassWorm Malware Resurfaces via 73 Malicious OpenVSX Sleeper Extensions in 2026

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
GlassWorm Malware Resurfaces via 73 Malicious OpenVSX Sleeper Extensions in 2026 - HackWatch malware alert image
HackWatch malware alert image for: GlassWorm Malware Resurfaces via 73 Malicious OpenVSX Sleeper Extensions in 2026
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 26, 2026

Updated: May 01, 2026

Incident status: Mitigation available

Corroborating sources: 3

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 3 corroborating sources.

Review our editorial policy or send corrections to [email protected].

Mitigation available. Mitigation guidance or a workaround is available, but defenders should still verify rollout status and exposure.

In 2026, the GlassWorm malware campaign has made a significant comeback by exploiting 73 dormant 'sleeper' extensions on the OpenVSX marketplace. These extensions initially appear harmless but activate malicious payloads after updates, enabling credential theft, espionage, and supply chain compromises. Targeting developers and organizations that rely on OpenVSX extensions, this campaign underscores the escalating risks within open-source developer ecosystems.

# GlassWorm Malware Resurfaces via 73 Malicious OpenVSX Sleeper Extensions in 2026

What happened

In April 2026, cybersecurity experts identified a renewed surge of the GlassWorm malware campaign targeting the OpenVSX extension ecosystem. This sophisticated attack involves 73 "sleeper" extensions—initially benign when installed but programmed to deploy malicious activities after receiving updates. OpenVSX, an open-source marketplace serving as an alternative to the Visual Studio Code Marketplace, is widely adopted by developers globally, making this campaign particularly concerning.

Once activated, these extensions execute covert espionage operations such as credential harvesting, data exfiltration, and lateral movement within affected networks. This resurgence signifies a notable intensification of supply chain attacks focused on developer tools, raising critical questions about the security of open-source extension repositories.

Confirmed facts

  • Malicious extensions identified: 73 sleeper extensions on OpenVSX.
  • Activation method: Extensions remain inactive at installation and trigger malicious payloads only after specific updates, circumventing early detection.
  • Capabilities: Credential theft, data exfiltration, persistent backdoor establishment.
  • Target platform: OpenVSX, an open-source extension marketplace compatible with VS Code.
  • Discovery timeframe: April 2026, validated by multiple cybersecurity firms and reported by BleepingComputer.
  • Attack vector: Supply chain compromise via trusted extension updates.
  • Scope: Global impact, predominantly affecting developer environments using OpenVSX.

Who is affected

  • Developers and software engineers utilizing OpenVSX extensions within their Integrated Development Environments (IDEs).
  • Organizations leveraging OpenVSX for internal development workflows or tooling.
  • Open-source contributors and projects that may use or distribute affected extensions.
  • Enterprises with insufficient extension vetting policies, increasing vulnerability to infiltration.

Because the malware activates only after updates, users who installed these extensions weeks or months earlier might only now be exposed, complicating detection and response efforts.

What to do now

  1. Conduct an immediate audit of installed OpenVSX extensions: Cross-reference your environment against the list of 73 known malicious extensions.
  2. Remove or disable suspicious extensions: Uninstall any identified malicious extensions and revoke related permissions promptly.
  3. Ensure your IDEs and security tools are up to date: Keep development environments and endpoint protection solutions current to detect and block GlassWorm activities.
  4. Rotate credentials: If compromise is suspected, change passwords, API keys, and other sensitive credentials used within your development ecosystem.
  5. Monitor network activity: Watch for unusual outbound connections or unexpected data transfers from developer machines.
  6. Exercise caution with alternative extension sources: Prefer official or well-vetted marketplaces and scrutinize new extensions before installation.

How to secure yourself

  • Enforce strict extension policies: Implement whitelisting and restrict extension installations to trusted sources only.
  • Deploy runtime behavior monitoring: Utilize advanced endpoint detection and response (EDR) tools capable of identifying malicious activities post-installation.
  • Educate development teams: Raise awareness about supply chain threats and indicators of compromised extensions.
  • Implement multi-factor authentication (MFA): Protect developer accounts and repositories to mitigate risks from credential theft.
  • Maintain regular audits and updates: Keep an accurate inventory of extensions and dependencies with scheduled reviews.
  • Isolate development environments: Use sandboxing or containerization to contain potential malware spread.

FAQ

What is GlassWorm malware?

GlassWorm is an advanced malware campaign targeting developer extension ecosystems. It is capable of stealing credentials, exfiltrating data, and establishing persistent backdoors.

How does the sleeper extension mechanism work?

Sleeper extensions appear benign upon installation but contain hidden code that activates malicious functions only after receiving specific updates, thereby evading initial security checks.

Am I affected if I use Visual Studio Code but not OpenVSX?

This campaign specifically targets OpenVSX extensions. However, vigilance is advised as similar supply chain attacks can occur on other extension marketplaces.

How can I check if I have a malicious extension installed?

Review your installed extensions against the list of 73 identified malicious ones, which are available through security advisories and OpenVSX announcements.

What immediate steps should organizations take?

Perform a comprehensive audit of developer environments, remove any suspicious extensions, enforce strict extension policies, and monitor for anomalous activity.

Can antivirus software detect GlassWorm?

Traditional antivirus solutions may struggle due to the sleeper nature of the extensions. Advanced endpoint detection and behavioral analysis tools are recommended.

Is OpenVSX taking measures to prevent future attacks?

Yes, OpenVSX is improving its extension vetting process and collaborating with security researchers to enhance ecosystem security.

What are the risks of ignoring this threat?

Ignoring this threat can lead to credential theft, intellectual property loss, and broader network compromise through developer environment infiltration.

How often should developers review their extensions?

Developers should review their extensions regularly—ideally monthly or immediately following any updates—to promptly identify and mitigate risks.

Does uninstalling the extension remove the malware completely?

Uninstalling removes the extension, but if the malware has already executed, additional incident response measures may be necessary.

Why this matters

The return of GlassWorm via sleeper extensions on OpenVSX exposes a critical vulnerability in the software supply chain, especially within developer tooling. As reliance on third-party extensions grows, attackers exploit this trust to stealthily infiltrate organizations. This incident demonstrates how supply chain attacks can bypass traditional defenses by embedding malicious payloads in seemingly legitimate software components.

Since development environments are central to software production, a compromise here can cascade into widespread breaches, intellectual property theft, and operational disruptions. Understanding and addressing these risks is vital for any organization involved in software development or dependent on open-source ecosystems.

Sources and corroboration The details reflect confirmed findings from threat intelligence analyses and vendor responses.

  • [BleepingComputer: GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions](https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/)

---

Tags: malware, GlassWorm, OpenVSX, supply chain attack, developer security, sleeper extensions, 2026 cybersecurity, credential theft, software supply chain

Source URLs:

  • https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/

Sources used for this article

cybersecuritynews.com, The Hacker News, BleepingComputer

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "GlassWorm Malware Resurfaces via 73 Malicious OpenVSX Sleeper Extensions in 2026".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks