GlassWorm Malware Linked to Dozens of Open VSX Extension Clones
Security firm Socket has identified over 70 suspicious extensions on the Open VSX marketplace linked to the GlassWorm malware. These extensions, which are clones of popular ones, were published by newly created GitHub accounts. GlassWorm, first appearing in October 2025, is designed to steal credentials and cryptocurrency. The extensions are likely sleeper agents, intended to deploy malware through future updates. This pattern of cloned extensions mirrors previous GlassWorm waves, where extensions are initially published without a payload and later updated to deliver malware. 
