GlassWorm OpenVSX sleeper extension campaign
Campaign
Summary
Hide ▲
Show ▼
The GlassWorm operation has launched a new wave against OpenVSX, seeding 73 sleeper extensions that become malicious after an update and can deliver malware to developers. Six of the extensions have already been activated. The campaign matters because the listings are designed to look benign first and then switch to payload delivery later.
Related Happenings
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Visual Studio Code adds two-hour delay for automatic extension updates
Security Tool/Service
H score10
First: 08.06.2026 09:08
Last: 08.06.2026 09:08
Sources 1
About this happening:
**Visual Studio Code (VS Code)** will delay automatic extension updates by **two hours** starting in **VS Code 1.123**, reducing exposure to **problematic or potentially compromis...
Visual Studio Code adds two-hour delay for automatic extension updates
Security Tool/ServiceAbout this happening: **Visual Studio Code (VS Code)** will delay automatic extension updates by **two hours** starting in **VS Code 1.123**, reducing exposure to **problematic or potentially compromis...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
H score75
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
H score30
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
How related:
A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update.
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityHow related: A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update.
About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
H score38
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Timeline
-
28.04.2026 00:41 2 articles · 2mo ago
Researchers identify new GlassWorm OpenVSX wave with 73 sleeper extensions
Initial DisclosureResearchers identify a new GlassWorm wave targeting OpenVSX with 73 sleeper extensions that are benign when uploaded and become malicious after a later update; six are already activated, and the listings are clones of legitimate extensions designed to trick developers.
Show sources
- GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions — www.bleepingcomputer.com — 28.04.2026 00:41
- GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions — www.bleepingcomputer.com — 28.04.2026 00:41