Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Open VSX Registry, where threat actors compromised a legitimate developer's credentials to distribute malicious updates containing the GlassWorm malware loader.

The Attack Timeline

On January 30, 2026, four established Open VSX extensions published by the developer "oorzc" had malicious versions pushed to the registry. These extensions had previously operated as legitimate developer utilities, with some first published more than two years ago and collectively accumulating over 22,000 downloads before the attack.

The compromised extensions included:

• FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
• I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
• vscode mindmap (oorzc.mind-map — version 1.0.61)
• scss to css (oorzc.scss-to-css-compile — version 1.3.4)

How GlassWorm Operates

The malicious versions are designed to deliver a sophisticated loader malware associated with the GlassWorm campaign. According to Socket security researcher Kirill Boychenko, the loader employs several advanced techniques:

• Runtime decryption: The malware decrypts and executes embedded code at runtime
• EtherHiding technique: Uses this increasingly weaponized method to fetch command-and-control (C2) endpoints
• Geolocation filtering: Only detonates after profiling the compromised machine and confirming it doesn't correspond to a Russian locale

This geolocation-based detonation pattern is commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors, allowing them to avoid domestic prosecution.

Data Theft Capabilities

The malware targets a comprehensive range of sensitive information:

Browser Data:

• Mozilla Firefox and Chromium-based browsers (logins, cookies, internet history)
• Cryptocurrency wallet extensions like MetaMask

Cryptocurrency Wallets:

• Electrum, Exodus, Atomic, Ledger Live, Trezor Suite
• Binance, and TonKeeper wallet files

Apple Ecosystem:

• iCloud Keychain database
• Safari cookies
• Apple Notes data
• User documents from Desktop, Documents, and Downloads folders

Enterprise Credentials:

• FortiClient VPN configuration files
• Developer credentials (e.g., ~/.aws and ~/.ssh)

Enterprise Risk Assessment

The targeting of developer information poses severe risks to enterprise environments. The malware includes routines to locate and extract authentication material used in common workflows, including:

• Inspecting npm configuration for _authToken
• Referencing GitHub authentication artifacts
• Accessing private repositories, CI secrets, and release automation

This capability enables potential cloud account compromise and lateral movement attacks within corporate networks.

Attack Methodology Evolution

This incident represents a significant evolution in GlassWorm's attack methodology. Unlike previous instances where threat actors leveraged typosquatting and brandjacking to upload fraudulent extensions, this attack used a compromised account belonging to a legitimate developer.

"The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions," Socket explained.

These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response.

Response and Mitigation

The malicious versions have been removed from Open VSX, and the security team is investigating the compromise, which they assess involved either a leaked token or other unauthorized access to the developer's publishing credentials.

For users who may have installed these extensions, security experts recommend:

1. Immediately uninstall the affected extensions
2. Scan systems for unusual network activity
3. Change credentials for any services that may have been accessed
4. Monitor cryptocurrency wallets for unauthorized transactions
5. Review system logs for signs of lateral movement

Broader Implications

This attack highlights the growing sophistication of supply chain attacks targeting developer ecosystems. By compromising legitimate developer accounts rather than creating fraudulent ones, attackers can bypass many traditional security controls and gain immediate trust within the community.

The use of runtime decryption and dynamic C2 infrastructure makes detection significantly more challenging, requiring organizations to implement behavioral monitoring and rapid response capabilities rather than relying solely on signature-based detection.

As developer tooling becomes increasingly central to software development workflows, protecting the integrity of these supply chains becomes critical for maintaining overall cybersecurity posture.