A fresh wave of GlassWorm extensions for Visual Studio Code is spreading self-propagating malware via the Open VSX marketplace, an open source alternative to Microsoft's Visual Studio Marketplace. Researchers from Socket discovered a cluster of 73 so‑called sleeper extensions beginning in April, linked to activity reported last month on GlassWorm’s self‑propagation.
According to the Socket Research Team, the latest wave shows the campaign scaling up, with some variants able to fetch and execute malicious payloads later, using external payload retrieval or bundled native binaries while the extension itself acts as a thin loader. The attackers continue to impersonate legitimate extensions by cloning listings with matching names, icons and descriptions, and in one example a fake Turkish language package closely mimics the official version to mislead developers.
At least six extensions have been activated with malware, and the total number remains fluid as sleeper extensions may later become malicious. Elizabeth Montalbano notes that the GlassWorm campaign persists, with researchers urging caution for developers using public code‑sharing sites before deploying in production environments.