CYBERSECURITY researchers have flagged 73 cloned Visual Studio Code extensions on the Open VSX repository that are linked to a persistent information-stealing campaign dubbed GlassWorm, with six confirmed as malicious and the rest acting as sleeper packages to coax downloads before an update reveals their true payload.
All extensions were published at the start of the month, according to Socket, which is tracking the latest GlassWorm v2 campaign, and more than 320 artifacts have been identified since 21 December 2025. The malicious extensions mimic legitimate ones, using the same icons and descriptions to exploit developers’ trust and encourage installations before the payload is activated.
The loaders direct a VSIX extension hosted on GitHub to be installed into every IDE on the system, including VS Code, Cursor, Windsurf and VSCodium, via the --install-extension command, with the end goal of stealing data, installing a remote access trojan and deploying a rogue Chromium-based extension. The threat actors behind GlassWorm are actively evolving their approach, pivoting to sleeper packages and transitive dependencies to evade detection while using Zig-based droppers to deliver the secondary payload.