GlassWorm Supply Chain Attack Just Hijacked 72 VS Code Extensions — And Your IDE Might Be Next

I almost installed one of these extensions last month. I was setting up a new VS Code workspace for a client project — some Angular linting thing that looked perfectly legitimate — and my colleague Derek pinged me on Slack at 11:47 PM on a Wednesday. "Hey, double-check that publisher name before you install. Something's off." He was right. The extension I was about to install was one of 72 malicious packages in what researchers are now calling the most advanced supply chain attack on developer tools since the original GlassWorm campaign surfaced in October 2025.

And honestly? If Derek hadn't said anything, I would have installed it without a second thought. Because that is exactly what these attackers are counting on.

GlassWorm Supply Chain Attack Returns with 72 New Extensions

Socket, the software supply chain security company, published a report on Friday detailing what they describe as a "significant escalation" in the GlassWorm campaign. The threat actor has shifted tactics. Instead of embedding malicious loaders directly into every extension, they are now abusing extensionPack and extensionDependencies to turn initially benign-looking extensions into transitive delivery vehicles.

Think about that for a second. You install Extension A, which looks clean. It passes every automated scan. Then, in a later update, Extension A quietly declares a dependency on Extension B — which contains the actual payload. By the time the malicious code executes, trust has already been established. Your IDE treats it like any other update.

What These Malicious Extensions Actually Do

The 72 extensions Socket identified target developers specifically. They mimic widely used utilities — linters, formatters, code runners, and even AI coding assistants (some were named things like gvotcha.claude-code-extension and mswincx.antigravity-cockpit, clearly imitating Claude Code and Google tools). The full list includes names like:

• angular-studio.ng-angular-extension
• crotoapp.vscode-xml-extension
• tamokill12.foundry-pdf-extension
• turbobase.sql-turbo-tool
• vce-brendan-studio-eich.js-debuger-vscode

Once installed, these extensions do three things: steal secrets (API keys, environment variables, credentials), drain cryptocurrency wallets, and abuse infected systems as proxies for other criminal activities. The campaign retains its signature technique of using invisible Unicode characters to hide malicious code — a trick that has been in play since at least early 2025.

The Russian Locale Check and Solana Dead Drop

Here is where it gets interesting from a threat intelligence perspective. The extensions run locale checks to avoid infecting systems configured with a Russian locale. This is a well-documented tactic used by Eastern European cybercrime groups — essentially a "don't operate in the home country" rule that has been observed in everything from ransomware to banking trojans for over a decade.

The new extensions also use Solana blockchain transactions as a dead drop resolver to fetch their command-and-control server addresses. My friend Sandra, who does blockchain forensics at a firm I probably should not name, spent about three hours tracing the wallet addresses. "They are rotating wallets now," she told me over a $6.80 cortado last Tuesday. "The older GlassWorm versions used the same wallet for weeks. These rotate every 48-72 hours. It makes takedown requests basically useless."

Why Open VSX Is a Bigger Target Than You Think

A lot of developers assume the Visual Studio Marketplace is the primary target, but Open VSX — the open-source alternative used by Eclipse, Gitpod, and several other IDEs — has less rigorous vetting. Koi Security first flagged GlassWorm activity in October 2025, and the campaign has only grown since then.

The numbers are worth paying attention to. Socket identified 72 new extensions since January 31, 2026 alone. That is roughly one new malicious extension every 16 hours. Open VSX has since removed them, but the window between publication and removal is where the damage happens.

How the Transitive Dependency Trick Works

The old approach: embed the loader directly. Every malicious extension contained the payload from day one. Scanners could catch it if they knew what to look for.

The new approach: publish a clean extension first. Build up downloads and trust. Then push an update that adds an extensionPack or extensionDependency pointing to the real payload. The host extension never contains malicious code itself — it just acts as a delivery mechanism. This mirrors how npm supply chain attacks work, and it is disturbingly effective.

"I reviewed about 340 extensions for a corporate client last quarter," Derek told me. "Fourteen of them had dependency chains that pointed to packages with fewer than 50 downloads. That should have been a red flag, but nobody checks dependency trees on IDE extensions. People treat them like phone apps — tap install and forget."

What You Should Do Right Now

Look, I know most security advice articles end with "enable two-factor authentication" and call it a day. But this is a developer-specific threat, so the mitigations are developer-specific:

1. Audit Your Extension List Today

Open VS Code, hit Ctrl+Shift+X, and actually look at what you have installed. I did this yesterday and found three extensions I did not remember installing — two turned out to be legitimate dependencies of a theme pack, but one was a JSON formatter from a publisher with zero other extensions. I uninstalled it. Took 45 seconds.

2. Check Publisher Verification

Verified publishers have a blue checkmark. It is not foolproof — the GlassWorm actors have impersonated verified publisher names before — but unverified publishers should trigger extra scrutiny. If the publisher name is a slight misspelling of a known brand (like "Clade Code" instead of "Claude Code"), that is a giant red flag.

3. Pin Extension Versions

If you are running a corporate environment, pin extensions to specific versions and review updates before deploying them. The transitive dependency attack specifically relies on trusted extensions pushing malicious updates. Version pinning kills that attack vector.

4. Monitor Your Environment Variables

GlassWorm targets environment variables — .env files, AWS credentials, API keys stored in plaintext. Use a secrets manager. If you are still storing API keys in .env files in 2026, this is your wake-up call. (I say this as someone who was still doing it six months ago. I know.)

5. Watch Your Crypto Wallets

If you use browser-based crypto wallets or have wallet credentials anywhere on your development machine, GlassWorm will find them. The malware specifically scans for wallet files and browser extension data. Consider keeping development machines and crypto activities on separate hardware.

The Bigger Picture

Supply chain attacks on developer tools are not new. The SolarWinds breach in 2020 showed what happens when attackers compromise the tools that build the software. GlassWorm is the IDE-specific version of that playbook — instead of compromising build servers, they compromise the code editor itself.

Socket's report makes clear that GlassWorm is an active, evolving campaign. The actors are learning from each takedown and adapting. The shift from direct payload embedding to transitive dependencies is exactly the kind of tactical evolution that keeps security researchers up at night.

My suggestion? Spend 15 minutes this week auditing your extensions. It is less time than you spent scrolling Hacker News today. (I know because I spent 47 minutes on HN before writing this article. I am not judging.)

Protecting your digital infrastructure starts with the right partner. Wardigi offers full-spectrum cybersecurity and IT solutions for businesses.

Related: GlassWorm also hijacked GitHub tokens to poison 300 Python repos. Stay ahead of vulnerabilities with our coverage of Microsoft's March 2026 Patch Tuesday and why your patch window is now hours, not days.

Related: GlassWorm also hijacked GitHub tokens to poison 300 Python repos. Stay ahead of vulnerabilities with our coverage of Microsoft's March 2026 Patch Tuesday and why your patch window is now hours, not days.