Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm OpenVSX sleeper extension campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm operation has launched a new wave against OpenVSX, seeding 73 sleeper extensions that become malicious after an update and can deliver malware to developers. Six of the extensions have already been activated. The campaign matters because the listings are designed to look benign first and then switch to payload delivery later.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Visual Studio Code adds two-hour delay for automatic extension updates

Security Tool/Service
H score10 First: 08.06.2026 09:08 Last: 08.06.2026 09:08 Sources 1

About this happening: **Visual Studio Code (VS Code)** will delay automatic extension updates by **two hours** starting in **VS Code 1.123**, reducing exposure to **problematic or potentially compromis...

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
H score75 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

How related: A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update.

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
H score38 First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Timeline

  1. 28.04.2026 00:41 2 articles · 2mo ago

    Researchers identify new GlassWorm OpenVSX wave with 73 sleeper extensions

    Initial Disclosure

    Researchers identify a new GlassWorm wave targeting OpenVSX with 73 sleeper extensions that are benign when uploaded and become malicious after a later update; six are already activated, and the listings are clones of legitimate extensions designed to trick developers.

    Show sources