GLASSWORM has returned, continuing to shatter developer ecosystems by poisoning Open VSX components and leaving downstream users with infostealer infections. Researchers with application security vendor Socket detailed a supply chain attack on four Trojanized components distributed via the Open VSX registry, with the malicious versions removed after the Jan. 30 report to Open VSX and the Eclipse Foundation.
According to Socket’s Kirill Boychenko, the four extensions were published under an established publisher account with meaningful adoption signals across ecosystems, and the attack appears designed to harvest credentials and other sensitive data. The campaign mirrors prior GlassWorm activity, using blockchain-based infrastructure for command and control (Solana) and a calendar-based backup channel (Google Calendar), and it could affect tens of thousands of developer machines.
The incident follows the malware’s initial discovery by Koi Security in the fall of 2025, when GlassWorm was seen propagating by abusing publishing access to distribute poisoned components. In guidance for defenders, organisations are urged to rotate credentials, audit GitHub activity, and validate CI configurations and release jobs; if an extension listed in the IOC is installed, it should be treated as a credential exposure event and removed.