What does GlassWorm malware do?

GlassWorm malware is designed to steal sensitive developer information, including cryptocurrency wallet data, credentials, access tokens, SSH keys, and other developer environment data. It's a supply chain attack aiming to compromise developer systems and steal valuable information.

How do 'sleeper' extensions work?

'Sleeper' extensions are initially benign code uploaded to a marketplace. They remain dormant until a later update is applied. This update then activates the malicious payload, which fetches and executes the actual malware, often from an external source. This delayed activation makes them harder to detect initially.

Should I worry if I use OpenVSX?

Yes, developers using OpenVSX should be aware of this threat. It's crucial to review the list of potentially affected extensions provided by security researchers, revoke secrets, and clean your environment if you've installed any. Vigilance against similar tactics in the future is also recommended.

🦠 Ransomware & Malware

GlassWorm's New Trick: OpenVSX Extensions Now 'Sleep' Before Attacking

The cybersecurity world braced for another supply chain assault, but GlassWorm's latest move in the OpenVSX ecosystem is a quiet, insidious evolution. They're no longer just dropping malware; they're planting seeds.

Threat Digest Apr 28, 2026 5 min read

Illustration of a computer screen with code and a sleeping worm icon

⚡ Key Takeaways

GlassWorm has shifted tactics, using 'sleeper' extensions in OpenVSX that deliver malware via updates. 𝕏
The campaign involves 73 cloned extensions designed to trick developers with similar icons and descriptions. 𝕏
This evolution poses a greater challenge to detection as the malicious payload is fetched post-installation, not embedded initially. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#GlassWorm #OpenVSX #developer security #malware #supply chain attack

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Bleeping Computer

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

[2026] SentinelOne's AI EDR Blocks CPU-Z Watering Hole Attack

CPUID's Trusted Tools Turn Toxic: Hackers Poison CPU-Z and HWMonitor Downloads

36 Fake npm Strapi Plugins Slip Redis and Postgres Backdoors into Dev Pipelines

150+ Victims Hit in CPUID Breach [STX RAT Trojan]

Stay in the loop