Open VSX extensions hijacked: GlassWorm malware spreads via dependency abuse
Summary
Threat actors are spreading GlassWorm malware through Open VSX extensions (add-ons for the VS Code editor) by abusing dependency relationships, a feature that automatically installs other extensions when one is installed. Instead of hiding malware in every extension, attackers create legitimate-looking extensions that gain user trust, then update them to depend on separate extensions containing the malware loader, making the attack harder to detect.
Solution / Mitigation
As of March 13, Open VSX has removed the majority of the transitively malicious extensions. Socket researchers recommend treating extension dependencies with the same scrutiny typically applied to software packages, monitoring extension updates, auditing dependency relationships, and restricting installation to trusted publishers where possible.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4145579/open-vsx-extensions-hijacked-glassworm-malware-spreads-via-dependency-abuse.html
First tracked: March 16, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 85%