73 Fake VS Code Extensions Spread GlassWorm v2 Malware

Security researchers have identified 73 malicious Visual Studio Code extensions hosted on the Open VSX registry that are distributing an updated variant of the GlassWorm information-stealing malware, now tracked as version 2. The campaign remained active for several weeks before discovery, with the fraudulent extensions accumulating thousands of downloads before removal. The threat actors leveraged common developer utilities and productivity themes to masquerade their malicious code, evading initial security screenings.

The GlassWorm v2 malware employs advanced obfuscation techniques and multi-stage infection chains to compromise victim systems. Upon installation, the malicious extensions execute obfuscated JavaScript code that initiates a covert download process, ultimately deploying the primary information-stealing payload. The malware targets a comprehensive range of sensitive data including system credentials, browser session cookies, cryptocurrency wallet files, SSH keys, and development environment variables. Additionally, GlassWorm v2 incorporates keystroke logging and screenshot capture capabilities to harvest authentication tokens and proprietary source code.

This attack vector represents a significant supply chain risk for organizations utilizing VS Code in software development workflows. Developers often possess elevated access to cloud infrastructure, CI/CD pipelines, and proprietary repositories, making their environments high-value targets for cybercriminals. The Open VSX registry, while an open-source alternative to Microsoft's official marketplace, lacks the rigorous vetting processes implemented by Microsoft, creating opportunities for threat actors to distribute compromised extensions. Security teams are strongly advised to audit all installed extensions, implement application whitelisting policies, and monitor development environments for unauthorized network communications.