Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 3 articles

Summary

Hide ▲

The GlassWorm v2 malware activity now uses cloned VS Code extensions on Open VSX to deliver payloads that steal credentials, deploy a RAT, and spread across multiple IDEs. The cluster includes 73 extensions, with six confirmed malicious and the rest used as sleeper packages to build trust before a later update turns them into malware delivery vehicles. A second-stage VSIX file is retrieved from GitHub and installed with `--install-extension` into VS Code, Cursor, Windsurf, and VSCodium. The operation matters because it turns ordinary extension installs into a supply-chain delivery path for persistent credential theft and data loss.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

Developers' AI provider API keys exfiltrated via malicious JetBrains plugins

Data Leak
H score12 First: 17.06.2026 12:10 Last: 17.06.2026 12:10 Sources 1

About this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...

Visual Studio Code adds two-hour delay for automatic extension updates

Security Tool/Service
H score10 First: 08.06.2026 09:08 Last: 08.06.2026 09:08 Sources 1

About this happening: **Visual Studio Code (VS Code)** will delay automatic extension updates by **two hours** starting in **VS Code 1.123**, reducing exposure to **problematic or potentially compromis...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Timeline

  1. 27.04.2026 14:23 2 articles · 2mo ago

    Researchers identify GlassWorm v2 cloned VS Code extensions on Open VSX

    Initial Disclosure

    Researchers identified 73 cloned Microsoft Visual Studio Code (VS Code) extensions on the Open VSX repository tied to GlassWorm v2, with six confirmed malicious and the remainder used as sleeper packages that copied legitimate icons and descriptions to build trust before a later update delivered a GitHub-hosted VSIX payload. The loader chain uses Zig-based droppers and the `--install-extension` command to push the payload into VS Code, Cursor, Windsurf, and VSCodium, with the end goal of stealing credentials and bookmarks, installing a remote access trojan (RAT), and avoiding Russian systems.

    Show sources
  2. 10.11.2025 10:51 1 articles · 8mo ago

    GlassWorm resurfaces in three VS Code extensions

    Campaign Scope Update

    GlassWorm resurfaced in three VS Code extensions—ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs—while researchers said the campaign still targets the Visual Studio Code (VS Code) ecosystem, Open VSX removed malicious extensions and rotated or revoked tokens, and a fresh Solana blockchain transaction updated the C2 endpoint; Koi Security also reported victims across the U.S., South America, Europe, and Asia, including a major government entity in the Middle East.

    Show sources