{"id":6219,"date":"2026-04-27T17:48:43","date_gmt":"2026-04-27T17:48:43","guid":{"rendered":"https:\/\/delimiter.online\/blog\/fake-vs-code-extensions-malware\/"},"modified":"2026-04-27T17:48:43","modified_gmt":"2026-04-27T17:48:43","slug":"fake-vs-code-extensions-malware","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/fake-vs-code-extensions-malware\/","title":{"rendered":"Researchers Find 73 Fake VS Code Extensions Spreading GlassWorm Malware"},"content":{"rendered":"<p><a href=\"https:\/\/delimiter.online\/blog\/trueconf-vulnerabilities\/\" title=\"cybersecurity\">cybersecurity<\/a> researchers have identified a cluster of 73 fraudulent extensions on the Open VSX repository for Microsoft Visual Studio Code, linking them to a persistent information-stealing campaign known as GlassWorm.<\/p>\n<p>The campaign involves cloned versions of legitimate <a href=\"https:\/\/delimiter.online\/blog\/cisa-kev-catalog-vulnerabilities\/\" title=\"VS Code\">VS Code<\/a> extensions. According to the researchers, six of these extensions have been confirmed as malicious, while the remaining 67 appear to be benign, functioning as seemingly harmless placeholders or decoys.<\/p>\n<p>The Open VSX repository is an open source registry for Visual Studio Code extensions, serving as an alternative to Microsoft\u2019s official marketplace. Security analysts flagged the malicious extensions as part of a broader effort to spread the GlassWorm v2 <a href=\"https:\/\/delimiter.online\/blog\/weekly-security-news-recap\/\" title=\"malware\">malware<\/a>, a sophisticated strain of information-stealing software.<\/p>\n<h2>Nature of the Threat<\/h2>\n<p>GlassWorm v2 is designed to harvest sensitive data including login credentials, browser cookies, and cryptocurrency wallet information from infected systems. The malware operates quietly in the background, exfiltrating data to command-and-control servers operated by the threat actors.<\/p>\n<p>The use of fake VS Code extensions is a relatively new vector for malware distribution. Developers and IT professionals often trust extensions from official or well-known repositories, making this method particularly effective for targeting a technical audience.<\/p>\n<p>Researchers noted that the malicious extensions were carefully crafted to mimic the appearance and functionality of legitimate tools. This social engineering tactic lowers the suspicion of users who install them for development tasks.<\/p>\n<h2>Scope of the Campaign<\/h2>\n<p>At present, only six of the 73 detected extensions are known to be actively malicious. However, the presence of the remaining 67 clones raises concerns about potential misuse. Security experts warn that these dormant extensions could be activated at a later stage or used as part of a larger distribution network.<\/p>\n<p>The campaign appears to have been active for several months, with the extensions uploaded to the Open VSX repository in batches. The exact number of affected users remains unclear, but given the popularity of VS Code among developers, the potential reach is significant.<\/p>\n<p>Open VSX administrators have been notified and are reportedly reviewing the flagged extensions for removal. Researchers are advising users to verify the authenticity of extensions before installing them, especially those from less well-known publishers.<\/p>\n<h2>Recommendations for Users<\/h2>\n<p>Developers using Visual Studio Code are urged to take precautions. Installing extensions only from trusted publishers, checking download counts and user reviews, and scrutinizing permission requests are important steps to reduce risk.<\/p>\n<p>Security teams should consider implementing policies that restrict the use of third-party extensions from unofficial sources. Regular audits of installed extensions and monitoring for unusual network activity can help detect infections early.<\/p>\n<p>For individual users, maintaining up-to-date antivirus software and enabling two-factor authentication on sensitive accounts provides an additional layer of defense against credential theft.<\/p>\n<p>This incident highlights the growing trend of supply chain attacks targeting developer tools and platforms. As the threat landscape evolves, vigilance and proactive security practices remain essential for protecting both personal and organizational data.<\/p>\n<p>Further investigations are expected to uncover more details about the group behind GlassWorm v2 and their methods. Security agencies may issue additional advisories as the analysis of the extensions continues.<\/p>\n<p>Source: Delimiter<\/p>\n","protected":false},"excerpt":{"rendered":"<p>cybersecurity researchers have identified a cluster of 73 fraudulent extensions on the Open VSX repository for Microsoft Visual Studio Code, linking them to a persistent information-stealing campaign known as GlassWorm. The campaign involves cloned versions of legitimate VS Code extensions. According to the researchers, six of these extensions have been confirmed as malicious, while the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6220,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[619,7268,544,1670,2794],"class_list":["post-6219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cybersecurity","tag-glassworm","tag-malware","tag-software-supply-chain","tag-vs-code"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=6219"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6219\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/6220"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=6219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=6219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=6219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}