73 Open VSX Sleeper Extensions Linked to GlassWorm Show New ...

Socket Research Team is tracking a new cluster of 73 impersonation extensions on the Open VSX marketplace linked to the GlassWorm campaign. These extensions were initially published as benign-looking sleepers by newly created GitHub accounts, with at least six already activated to deliver malware. The campaign uses cloned listings of popular extensions (e.g., Turkish Language Pack) to build visual trust before weaponizing them via updates. Delivery mechanisms have evolved to include bundled native .node binaries with embedded GitHub release URLs, obfuscated JavaScript loaders, and external VSIX payload retrieval — targeting VS Code, Cursor, Windsurf, and VSCodium. The shift moves critical malicious logic outside of what static scanners typically inspect, making detection harder.