"Socket has identified 73 suspicious extensions that are clones of popular extensions on the Open VSX marketplace. They were published by newly created GitHub accounts that have one or two public repositories named with an eight-character string."
"This count may change as new updates continue to appear, but the pattern is consistent with earlier GlassWorm waves: cloned or impersonating extensions are first published without an obvious payload, then later updated to deliver malware through the normal extension update path."
"The extensions feature a clear impersonation pattern, where they mirror the legitimate listings of the cloned extensions, including icons, naming, and description, but under a different publisher and unique identifier."
"This is the core social engineering pattern behind the latest GlassWorm cluster: cloned listings create enough visual trust to attract installs before any malware is introduced."
More than 70 extensions in the Open VSX marketplace are suspected to be linked to the GlassWorm malware, which first appeared in October 2025. These extensions are clones of popular ones and were published by new GitHub accounts. They are designed to steal sensitive information, including GitHub and cryptocurrency credentials. The extensions mimic legitimate listings to gain user trust before delivering malware through updates. At least six of these extensions have already been activated, following a pattern consistent with previous GlassWorm incidents.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]