Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

VS Code Marketplace malicious extension campaign using disguised dependency payloads

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A malicious VS Code extension campaign has spread through 19 extensions, creating supply-chain risk for developers using the marketplace. The operation has been active since February 2025 and relies on disguised payloads embedded in dependency folders. It matters because trusted extensions were used to covertly execute malware through a legitimate distribution channel.

Related Happenings

Npm typosquatting campaign distributing WinOS 4.0 implant

Campaign
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...

Open Happening

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First: 01.04.2026 10:44 Last: 01.04.2026 10:44 Sources 1

About this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

Open Happening

Timeline

  1. 11.12.2025 18:00 2 articles · 5mo ago

    ReversingLabs discloses 19-extension campaign

    Initial Disclosure

    ReversingLabs disclosed a campaign affecting 19 Visual Studio Code extensions that hid malware inside dependency folders, including a modified path-is-absolute npm package, a fake banner.png archive, and payload launch through cmstp.exe; four other extensions instead abused @actions/io, and the affected extensions were reported to Microsoft. The operation had been active since February 2025 and was identified on December 2, 2025.

    Show sources
    Open in new tab