Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 11:58 UTC
4110 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware

Thirumala Rao Padilam Thirumala Rao Padilam April 27, 2026
Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware

Cybersecurity experts have discovered a collection of 73 fake Visual Studio Code extensions hosted on the Open VSX repository that are part of an ongoing information-stealing campaign known as GlassWorm. Among these cloned extensions, six have been confirmed to contain malicious code designed to steal user data, while the remainder appear benign but remain under investigation.

What happened

Researchers detected a cluster of 73 Visual Studio Code extensions on the Open VSX marketplace that are counterfeit replicas of legitimate extensions. These fake extensions have been associated with the GlassWorm malware campaign, which focuses on information theft from infected systems. While only six of the extensions have been definitively confirmed as malicious, the remainder have suspicious attributes and are potentially linked to the same campaign. This discovery points to a targeted effort to leverage trusted developer tools to distribute malware.

Why it matters

This incident highlights a growing risk for software developers and IT professionals who routinely install third-party extensions to enhance coding environments. Attackers exploiting the extension ecosystem can potentially access sensitive development data and credentials, undermining both personal and organizational security. The identification of cloned extensions further complicates efforts to distinguish legitimate from malicious software, emphasizing the need for enhanced scrutiny and repository policing.

What security teams should do

Security teams managing developer environments should review installed VS Code extensions and verify their authenticity against official sources. It is advisable to restrict extension installation from untrusted or less verified repositories such as Open VSX, in favor of official marketplaces. Monitoring for suspicious activities related to VS Code usage and conducting scans for known GlassWorm indicators are recommended. Applying endpoint detection tools capable of identifying information-stealing malware and updating security policies concerning extension vetting should also be considered.

Key technical details

The malicious cluster comprises cloned versions of genuine Visual Studio Code extensions, repackaged to distribute GlassWorm v2, a persistent information-stealing malware. Of the 73 detected extensions, six exhibit confirmed malicious functionality, while the rest currently show suspicious but unconfirmed behavior patterns. These extensions were found on the Open VSX repository, which hosts community-maintained VS Code extensions. GlassWorm operates by clandestinely exfiltrating data from infected machines, leveraging the trusted nature of legitimate developer tools to evade detection.

Affected organizations/products

The affected entities include users of Microsoft Visual Studio Code who download extensions from the Open VSX repository, particularly those who may have installed one or more of the 73 identified cloned extensions. The campaign targets developers relying on these extensions, putting their information confidentiality at risk.

Source attribution

https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!