# Supply Chain Under Siege: GlassWorm's New VS Code Extension Campaign Targets Developer Workflows


A sophisticated threat actor campaign is expanding its attack surface by seeding the Open VSX (Visual Studio Code Extensions) marketplace with seemingly legitimate extensions that deliver self-propagating malware. Security researchers have identified the malicious extensions as part of the GlassWorm campaign—an ongoing supply chain operation that exploits developer trust to compromise entire organizations through compromised development environments.


## The Threat: Deceptive Extensions at Scale


The GlassWorm campaign represents a calculated shift in attack strategy. Rather than targeting a single high-value extension, threat actors are flooding the Open VSX marketplace with multiple extensions designed to appear functional and benign while silently delivering malicious payloads.


Key characteristics of the attack:


  • Self-propagating mechanism: Once installed, the malware propagates itself across the infected developer's environment
  • Supply chain amplification: Compromised developers introduce malicious code into organizational repositories
  • Persistence through legitimacy: Extensions are disguised with plausible functionality and descriptions
  • Open VSX targeting: Attackers focus on the open-source extension marketplace, which has lower verification barriers than Microsoft's official VS Code Marketplace

    • Security teams report detecting dozens of malicious extensions in recent weeks, with several achieving thousands of downloads before removal. The campaign demonstrates attackers' willingness to operate at scale, prioritizing broad infection over stealth.


    ## Background and Context


    ### The Open VSX Ecosystem


    Open VSX is a community-driven alternative to Microsoft's official VS Code Marketplace, designed to provide extension hosting for developers in restricted regions and those preferring open-source distribution channels. While this openness benefits the developer community, it also creates opportunities for malicious actors to submit extensions with minimal scrutiny.


    Unlike the official VS Code Marketplace (which implements automated scanning and publisher verification), Open VSX relies on community reporting and reactive moderation. This asymmetry has made it an attractive target for supply chain attackers.


    ### GlassWorm's Evolution


    GlassWorm has been active since at least 2024, initially targeting cloud infrastructure credentials and SSH keys. The campaign has steadily evolved:


    | Phase | Target | Method | Impact |

    |-------|--------|--------|--------|

    | Early 2024 | GitHub/GitLab credentials | Malicious npm packages | Unauthorized repository access |

    | Mid 2024 | SSH keys and cloud tokens | Compromised development tools | Lateral movement in corporate networks |

    | Current | Developer environments | VS Code extensions | Persistent supply chain compromise |


    Each iteration demonstrates attackers' sophistication in understanding developer workflows and trust patterns.


    ## Technical Details: How the Attack Works


    ### The Infection Chain


    1. Deceptive Packaging: Malicious extensions are published with names similar to legitimate tools (e.g., "Python Linter Pro" instead of established tools). Extensions include functional code that provides real value, making them appear legitimate.


    2. Hidden Payload Delivery: Within the extension code, attackers embed obfuscated JavaScript that:

    - Exfiltrates development environment variables

    - Steals SSH keys and API credentials from the local filesystem

    - Monitors clipboard content for sensitive data

    - Executes arbitrary commands via the VS Code API


    3. Self-Propagation: The malware identifies other VS Code installations on the system and copies itself to their extension directories, spreading across machines on the same network.


    4. Persistence Mechanism: Malicious code modifies extension configuration files to ensure automatic re-execution across VS Code sessions.


    ### Indicators of Compromise


    Organizations can detect GlassWorm extensions by monitoring for:


  • Unusual extension permissions requests: Extensions requesting access to filesystem APIs, shell execution, or environment variables beyond their stated functionality
  • Network anomalies: Unexpected outbound connections from the ~/.vscode/extensions/ directory
  • Credential theft signatures: Suspicious access to ~/.ssh/, ~/.aws/, or token storage locations
  • Modified extension manifests: Discrepancies between published extension code and installed versions

    • ## Implications for Organizations


    ### Immediate Risks


    Developer workstations become entry points: Compromised developers inadvertently introduce malware into organizational repositories through commits and pull requests. A single infected developer can compromise an entire codebase.


    Lateral movement acceleration: Stolen SSH keys and credentials enable attackers to move laterally across infrastructure, accessing cloud environments, private repositories, and internal systems.


    Supply chain contamination: Organizations consuming affected code introduce vulnerabilities into production systems, affecting downstream customers and partners.


    ### Broader Strategic Impact


    This campaign reveals a critical vulnerability in the developer tooling ecosystem. Unlike runtime dependencies (where package managers offer some verification), development tool compromises operate with elevated privileges and deep access to sensitive environments. An infected VS Code extension sees everything a developer can access.


    The scalability of the attack—dozens of extensions across thousands of installations—suggests attackers view this as a high-probability, low-risk approach compared to traditional targeted spear-phishing.


    ## Security Recommendations


    ### For Individual Developers


  • Audit installed extensions: Review all installed VS Code extensions and remove unfamiliar or unnecessary tools
  • Verify extension sources: Install only from the official Microsoft VS Code Marketplace when possible
  • Check extension permissions: Review what APIs and filesystem access each extension requests during installation
  • Enable extension isolation: Use VS Code's "Restricted Mode" for untrusted workspaces
  • Monitor credential access: Regularly audit which processes access SSH keys and credential files

    • ### For Organizations


  • Implement extension allowlists: Deploy centralized extension policies that restrict installations to approved, verified extensions
  • Monitor development environments: Use endpoint detection and response (EDR) tools to flag suspicious activity in VS Code processes
  • Scan repositories for indicators: Implement pre-commit hooks to detect exfiltrated credentials or suspicious code patterns
  • Isolate development networks: Segment developer workstations from production infrastructure
  • Update extension sources: Configure organizational VS Code instances to use only the official Microsoft Marketplace
  • Incident response planning: Develop procedures for responding to developer machine compromise, including credential rotation and code review protocols

    • ### For VS Code and Open VSX Communities


  • Implement automated scanning: Deploy static analysis and behavioral detection for malicious code before extension publication
  • Require publisher verification: Institute identity verification requirements similar to the official marketplace
  • Enable rapid takedown: Establish procedures for emergency extension removal when threats are discovered
  • Transparency reporting: Publish regular security incident reports about detected malicious extensions

    • ## Conclusion


    The GlassWorm campaign's expansion into VS Code extensions underscores a fundamental reality of modern software development: developer tools are infrastructure security tools. An attack on the tools developers trust is an attack on the supply chain itself.


    Organizations cannot afford to treat extension security as a minor concern. The infected developer machine has become a reliable attack vector, and threat actors have demonstrated they understand how to exploit the trust relationships embedded in development tooling ecosystems.


    Immediate action—auditing extensions, updating policies, and monitoring for indicators of compromise—is essential. The question is not whether your organization has been exposed to these malicious extensions, but whether you've detected them yet.