Malicious Visual Studio Code Extensions Target Developers Globally
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — Cybersecurity researchers have identified a campaign involving 73 cloned Visual Studio Code extensions on the Open VSX repository that deliver GlassWorm v2 malware, steal credentials, and install cross-IDE remote access trojans.
The malicious extensions were discovered on April 27, 2026, by application security company Socket. The campaign targets developers globally, exploiting the trust placed in popular development tools. The compromised extensions mimic legitimate software, tricking users into downloading and installing malware that grants attackers remote access to their integrated development environments.
GlassWorm v2, the malware deployed in this campaign, is designed to evade detection through the use of sleeper packages and transitive dependencies. The malware avoids execution on Russian systems, suggesting a targeted approach to specific geographic regions. Once installed, the trojan steals sensitive data, including user credentials and browser bookmarks, potentially exposing proprietary code and personal information.
The attack leverages the Open VSX repository, an alternative marketplace for Visual Studio Code extensions, and GitHub, where the cloned extensions were hosted. By cloning legitimate extensions, attackers bypassed initial security checks, allowing the malware to reach unsuspecting developers. The use of transitive dependencies further complicates detection, as the malicious code is embedded within seemingly harmless packages.
Socket researchers noted that the campaign represents a sophisticated attempt to compromise developer workflows. The malware's ability to install cross-IDE remote access trojans means that even if a user switches to a different development environment, the threat persists. This persistence increases the risk of long-term data exfiltration and unauthorized access to corporate networks.
The discovery comes amid growing concerns over supply chain attacks targeting software development tools. Developers are advised to audit their extensions and verify the authenticity of packages before installation. Security experts recommend using trusted repositories and enabling additional security measures, such as code signing and dependency scanning, to mitigate risks.
The full extent of the campaign remains unclear, as researchers continue to investigate the scope of the infection. Questions linger about the identity of the attackers and whether other repositories have been compromised. As the investigation unfolds, the incident highlights the vulnerability of open-source ecosystems to malicious actors seeking to exploit developer trust.
Socket has notified the Open VSX repository administrators, and the malicious extensions have been removed. However, users who installed the compromised extensions are urged to take immediate action to secure their systems. The incident serves as a reminder of the ongoing threat landscape facing software developers and the critical importance of vigilance in maintaining secure development practices.