GlassWorm OpenVSX sleeper extension campaign
Campaign
Summary
Hide ▲
Show ▼
The GlassWorm operation has launched a new wave against OpenVSX, seeding 73 sleeper extensions that become malicious after an update and can deliver malware to developers. Six of the extensions have already been activated. The campaign matters because the listings are designed to look benign first and then switch to payload delivery later.
Related Happenings
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
How related:
A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update.
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityHow related: A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update.
About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Timeline
-
28.04.2026 00:41 2 articles · 29d ago
Researchers identify new GlassWorm OpenVSX wave with 73 sleeper extensions
Initial DisclosureResearchers identify a new GlassWorm wave targeting OpenVSX with 73 sleeper extensions that are benign when uploaded and become malicious after a later update; six are already activated, and the listings are clones of legitimate extensions designed to trick developers.
Show sources
- GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions — www.bleepingcomputer.com — 28.04.2026 00:41
- GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions — www.bleepingcomputer.com — 28.04.2026 00:41