OVER 70 Open VSX extensions published in April are likely sleeper extensions linked to the GlassWorm malware, with Socket later identifying 73 suspicious clones that mirror popular listings. GlassWorm first appeared in the Open VSX registry in October 2025 in a dozen extensions that were likely downloaded thousands of times, and it used Unicode variation selectors to hide its code while relying on the Solana blockchain for command-and-control infrastructure.
The extensions are designed to deploy malware through future updates, with at least six activated so far, and were published by newly created GitHub accounts naming an eight-character string. The core pattern is impersonation of legitimate extension listings, including icons, names and descriptions, under different publishers to build visual trust before malware is delivered.
Socket notes that the malware delivery combines bundled native binaries with payloads retrieved from remote locations, and that the extended code paths can evade typical scans by spreading logic across multiple delivery mechanisms. According to Socket, this mirrors earlier GlassWorm waves, where cloned listings create trust before any payload is introduced.