VSCode Marketplace malicious extensions campaign targeting developers
Campaign
Summary
Hide ▲
Show ▼
A stealthy VSCode Marketplace campaign with 19 malicious extensions is exposing developers to supply-chain compromise by hiding malware inside dependency folders. The operation has been active since February and uses bundled packages, fake archive content, and auto-executing code paths to deliver payloads. Microsoft removed the extensions after they were reported, but anyone who installed them should scan for compromise.
Related Happenings
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm Zig dropper infecting developer IDEs
Malware Activity
First: 10.04.2026 16:23
Last: 10.04.2026 16:23
Sources 1
About this happening:
The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm Zig dropper infecting developer IDEs
Malware ActivityAbout this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
GlassWorm open-source supply-chain campaign targeting developers
Campaign
First: 14.03.2026 14:55
Last: 14.03.2026 14:55
Sources 1
About this happening:
The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
GlassWorm open-source supply-chain campaign targeting developers
CampaignAbout this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Microsoft VS Code Live Preview fix in version 0.4.16
Security Patch Release
First: 19.02.2026 12:45
Last: 19.02.2026 12:45
Sources 1
About this happening:
Microsoft's **VS Code 0.4.16** quietly fixed a **Microsoft Live Preview** flaw that could expose **developer files** when the extension was running. The update closes one exploita...
Microsoft VS Code Live Preview fix in version 0.4.16
Security Patch ReleaseAbout this happening: Microsoft's **VS Code 0.4.16** quietly fixed a **Microsoft Live Preview** flaw that could expose **developer files** when the extension was running. The update closes one exploita...
Timeline
-
11.12.2025 22:54 2 articles · 5mo ago
VSCode Marketplace malicious extension campaign disclosed
Initial DisclosureA stealthy VSCode Marketplace campaign targeting developers used 19 malicious extensions, all published as version 1.0.0, to hide malware inside bundled dependency folders. The packages pre-packaged a node_modules folder, inserted a modified path-is-absolute or @actions/io dependency with an additional class in index.js that executes when VSCode starts, decoded an obfuscated JavaScript dropper from a file named lock, and included a fake banner.png archive containing cmstp.exe and a Rust-based trojan; Microsoft removed the extensions after they were reported, and users who installed them were advised to scan for compromise.
Show sources
- Malicious VSCode Marketplace extensions hid trojan in fake PNG file — www.bleepingcomputer.com — 11.12.2025 22:54
- Malicious VSCode Marketplace extensions hid trojan in fake PNG file — www.bleepingcomputer.com — 11.12.2025 22:54