The GlassWorm supply chain attack<\/a> targeting the Open VSX marketplace has escalated with the discovery of 73 new \u201csleeper\u201d extensions.<\/p>\n Identified in April 2026, this cluster marks a dangerous shift in how threat actors distribute malware to software developers.<\/p>\n This activity follows a major wave discovered in March 2026, where researchers documented 72 malicious Open VSX extensions<\/a> tied to the GlassWorm operation.<\/p>\n Earlier variants abused extension dependency features to install malicious loaders silently. However, the new April 2026 cluster shows that attackers are evolving their tactics to evade security scans.<\/p>\n A sleeper extension is a fake package published by threat actors before it is weaponized. These extensions initially appear harmless to build visual trust, gain credibility, and gather downloads.<\/p>\n Attackers use newly created GitHub accounts to publish cloned versions of popular tools.<\/p>\n For example, attackers created a fake Turkish Language Pack for Visual Studio Code<\/a> that closely mimicked the legitimate version. They copied the globe icon and the description, while simply swapping the publisher name.<\/p>\n Once developers install these cloned tools, the attackers wait before pushing a software update that delivers the malware. At least six of the 73 new extensions have already been activated to deliver payloads.<\/p>\n In this latest wave, the extension acts only as a thin loader to fetch external payloads.<\/p>\n The malicious code is no longer directly visible in the extension\u2019s source code, increasing the likelihood of evading detection<\/a>.<\/p>\n The campaign uses two primary execution methods:<\/p>\n Indicators of Compromise<\/strong><\/p>\n Security teams should monitor for the following indicators:<\/p>\n According to Socket Research Team<\/a>, developers must verify publisher namespaces and inspect download counts carefully before installing extensions from the Open VSX marketplace.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 73 Open VSX Sleeper Extensions Linked to GlassWorm Activate New Malware Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Sleeper Extension Strategy<\/strong><\/h2>\n
![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrRuiAOMMNHYfXgemvIApW5J84yu5-pYEApwvIwR0gx7K9N6eOIaH7B11IsG2fFvKLjyVhkoFhJpBx4VAHBGDrHwW8QyGD7zOHGlM54n7ePMk-jb-F1lYVZ10XZsXm17mnnPSUVN5xg0QOqIbCBJPngJ-27beO-R2CovlMuaH9z4NhPDz6y_Oll_-k3MI\/s1600\/Screenshot%25202026-04-25%2520180037%2520%25281%2529.webp?ssl=1\")
Evolving Delivery Mechanisms<\/strong><\/h2>\n
\n
\n