73 counterfeit Visual Studio Code extensions have been discovered on the Open VSX repository, all part of a coordinated campaign distributing GlassWorm v2, an information-stealing malware specifically designed to harvest developer credentials and session tokens. The discovery, detailed in a report published April 28, 2026, by The Hacker News, highlights how attackers are increasingly weaponizing trusted development tools and open-source ecosystems to bypass traditional security perimeters.
Key Takeaways
- 73 fake extensions were found on Open VSX, cloned from legitimate tools.
- Six confirmed malicious variants inject GlassWorm v2, a second-generation info-stealer.
- Attackers target session tokens, SSH keys, and environment variables from developers’ machines.
- Open VSX, used by non-Microsoft IDEs like Eclipse Theia, lacks the same vetting rigor as Microsoft’s marketplace.
- The campaign has been active for months, with obfuscated payloads designed to evade detection.
Open Source, Open Season
It’s not supposed to work like this. Open-source tooling is meant to be transparent, inspectable, and community-hardened. But the Open VSX Registry—intended as an open alternative to Microsoft’s proprietary VS Code marketplace—has become a backdoor for malware distribution. That’s the irony: a project created to avoid vendor lock-in now serves as fertile ground for digital lockpicks.
The 73 extensions weren’t novel creations. They were clones—near-perfect copies of popular, trusted tools like “Python,” “Prettier,” and “GitLens.” They mimicked icons, descriptions, and version numbers. To a developer in a hurry, the difference would be imperceptible. Only under inspection did the seams show: slightly altered package IDs, subtle spelling errors in metadata, and—critically—malicious code injected into background scripts.
Of the 73, six have been confirmed to carry GlassWorm v2 payloads. The rest appear to be part of a broader ecosystem—some may be inactive, others likely serving as future delivery vectors or decoys to confuse detection. But their presence alone is alarming: this wasn’t a smash-and-grab. This was a long-term occupation.
How GlassWorm v2 Works
GlassWorm v2 is not a ransomware strain. It doesn’t encrypt. It doesn’t crash systems. It observes. It exfiltrates. And it does so quietly.
Once installed, the malicious extensions activate on VS Code startup. They inject JavaScript into the editor’s extension host process, giving them access to the local filesystem, network stacks, and—crucially—the developer’s runtime environment. From there, they scan for:
- Stored authentication tokens (GitHub, GitLab, AWS, Azure)
- SSH private keys in
~/.ssh - Environment variables containing API keys or secrets
- Active browser sessions via cached cookies
Collected data is encoded and sent to attacker-controlled domains using DNS tunneling and low-frequency HTTPS calls to blend in with normal traffic. The malware avoids logging, disables telemetry, and deletes traces of its own activity—making forensic recovery difficult.
Why Developers Are the New Perimeter
We used to secure the network. Then the endpoint. Now the real prize is the developer’s machine—where code, keys, and access converge. A single compromised VS Code install can give attackers:
- Direct access to private repositories
- Privileged cloud credentials
- Pipeline deployment rights
- Keys to internal systems and staging environments
And because developers routinely use tools from open registries, often installing extensions without reviewing source code, the attack surface is massive. There’s no prompt asking, “Are you sure?” just a quick click on “Install.”
Open VSX vs. Microsoft’s Marketplace
One reason this happened on Open VSX and not Microsoft’s official VS Code marketplace? Oversight.
Microsoft manually reviews and scans every extension submitted to its marketplace. Automated systems flag suspicious behavior. Publishers are verified. And extensions are sandboxed with restricted permissions.
Open VSX, by contrast, is governed by the Eclipse Foundation and designed to be open and decentralized. That means no pre-publishing review. Anyone can upload an extension under any name, as long as the namespace isn’t already taken. There’s no code audit. No publisher verification. No behavioral monitoring.
That openness is its strength—and its fatal flaw. The same principles that prevent vendor control also enable abuse. And while Microsoft’s marketplace isn’t immune to malware (remember the original GlassWorm campaign from 2024?), its layered defenses make large-scale attacks harder.
The Cloning Tactic Is Growing
Counterfeiting isn’t new in app stores. But it’s now endemic in developer tooling. Attackers aren’t writing better malware—they’re just copying better tools. The fake “Python” extension in this campaign, for example, functions identically to the real one. Users get syntax highlighting, linting, debugging. Nothing feels off. Which means the malware runs every time they code.
The payloads are also more sophisticated. GlassWorm v2 uses polymorphic code—changing its structure with each build to evade signature detection. It checks for sandbox environments and delays execution if it detects analysis tools. And it only targets specific file paths and credential stores, minimizing noise.
Who’s Responsible?
The original report does not name a specific threat actor. But the infrastructure used in the campaign—domains, IPs, encryption methods—overlaps with previous GlassWorm operations traced to a China-linked group that’s been active since at least 2022. That group has historically targeted software supply chains, focusing on developers at tech firms and government contractors.
There’s no evidence Microsoft’s own marketplace was compromised. All malicious extensions were hosted exclusively on Open VSX. But because many IDEs—like Gitpod, CodeSandbox, and Eclipse Theia—default to or allow Open VSX as a source, the risk spreads far beyond a single platform.
What This Means For You
If you’re a developer, this isn’t someone else’s problem. Your machine is a high-value target. Assume that any extension not vetted by a trusted publisher is suspect. Only install from official marketplaces when possible. Audit your installed extensions regularly. Remove anything you don’t actively use.
And stop treating IDEs like neutral tools. They’re execution environments with deep system access. Review the permissions an extension requests. If a “bracket highlighter” wants access to your filesystem and network, that should raise a red flag. Use tools like code --list-extensions --show-versions to audit what’s running, and consider running VS Code in containers or restricted profiles when working with untrusted code.
One thing hasn’t changed: trust is the scarcest resource in software. We built open source to escape black boxes. But when the cost of openness is unchecked access, we have to ask—how open should our tools really be?
The Bigger Picture: Supply Chain Trust Is Fracturing
The Open VSX incident isn’t isolated. It’s part of a broader erosion in software supply chain integrity. In 2025 alone, Sonatype’s State of the Software Supply Chain report documented over 120,000 malicious packages across npm, PyPI, and RubyGems. That number jumped to 158,000 in 2026. Many mimic real packages with names like “lodash-security” or “requests-secure.” Developers typing the wrong name—“chokidar2” instead of “chokidar”—get pwned instantly.
What’s different here is the target layer. Where most supply chain attacks focus on runtime dependencies, this campaign hits the *development* environment. That’s a step upstream—and more dangerous. A poisoned dev tool doesn’t just affect one app. It can compromise everything built with it. Think of it like contaminating a chef’s knife instead of spiking a single dish.
Companies like Google and Meta have responded by investing in internal extension registries. Google mandates that internal developers only use vetted plugins from its monorepo-verified catalog. Meta uses automated static analysis to scan every extension used in its engineering org. Smaller firms don’t have that luxury. But tools like Snyk Code and Checkmarx CxCode are starting to add extension-aware scanning, letting teams flag risky dependencies before they’re installed.
The cost of ignoring this? Real dollars. In 2024, a supply chain breach via a poisoned npm package cost Codecov an estimated $3 million in incident response, customer remediation, and legal fees. The fallout lasted 18 months. And that was just one dependency. An IDE-level compromise could be far worse.
Industry Responses and Technical Countermeasures
Since the April 2026 disclosure, the Eclipse Foundation has announced a new security initiative for Open VSX. Starting in Q3 2026, all new extensions will require publisher verification via verified email domains or GitHub organization ownership. The team is also piloting a lightweight static analysis engine to flag suspicious API calls—like access to the ~/.ssh directory or DNS tunneling patterns—before publication.
Meanwhile, Gitpod and CodeSandbox have changed their default extension sources. Gitpod now defaults to Microsoft’s marketplace unless explicitly overridden. CodeSandbox has implemented a hybrid model: it proxies Open VSX but runs each extension through a sandboxed analysis pipeline that checks for obfuscated code, unauthorized network calls, and unusual filesystem access. Any red flags trigger manual review.
Other open-source IDEs are watching closely. The VSpaceCode project, which builds on Neovim to mimic VS Code, has adopted a curated plugin model, requiring all additions to be approved by at least two maintainers. Similarly, the Zed editor team has built cryptographic signing into its plugin protocol, ensuring that only extensions with valid keys from trusted publishers can run.
On the enterprise side, companies like Palo Alto Networks and CrowdStrike have updated their endpoint detection rules to monitor for anomalous behavior in IDE processes. For example, if VS Code suddenly starts making repeated short DNS queries to uncommon domains, it’s flagged as potential exfiltration. These behavioral heuristics are now part of standard developer-focused security bundles, such as CrowdStrike Falcon DevOps Security and Wiz’s developer environment monitoring module.
Why It Matters Now
This attack surfaced at a time when more code is being written outside traditional corporate networks than ever before. GitHub’s 2025 report showed that 68% of commits from enterprise developers originated from personal laptops, not company-issued devices. Those machines often lack EDR agents, disk encryption, or centralized policy enforcement.
At the same time, the line between local and cloud-based development is blurring. Tools like GitHub Codespaces, Gitpod, and Amazon CodeCatalyst run full VS Code instances in the cloud—but still allow extensions from Open VSX. A malicious plugin could steal credentials not just from a local machine, but from a cloud-hosted dev environment with access to production systems.
Regulators are starting to notice. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added “unvetted development tools” to its 2026 list of top ten software supply chain risks. NIST is expected to release updated guidelines this year requiring organizations to inventory and assess all third-party development tools used in federal projects.
For developers, the takeaway is clear: your editor isn’t just a text box. It’s a gateway. Every extension you install is a potential backdoor. And in 2026, the attackers aren’t breaking in—they’re being invited.
Sources: The Hacker News, BleepingComputer, Sonatype State of the Software Supply Chain 2026, GitHub Octoverse 2025, CISA 2026 Top Risks Report, Eclipse Foundation Security Updates
