Cybersecurity experts have found a new version of the GlassWorm campaign that they say is a "significant escalation" in how it spreads through the Open VSX registry. "Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established," Socket said in a report published Friday. The company that protects the software supply chain said it has found at least 72 more harmful Open VSX extensions since January 31, 2026, that are aimed at developers.
These add-ons work like popular developer tools like linters and formatters, code runners, and AI-powered coding assistants like Clade Code and Google Antigravity. Here are the names of some of the extensions. The attackers are likely using large language models to make fake cover commits that look real because they are customizing them so much for each project.
Endor Labs said they found 88 new malicious npm packages uploaded in three waves between November 2025 and February 2026 using 50 disposable accounts. This news comes as the development. The packages include features that let them steal sensitive data from the infected computer, such as environment variables, CI/CD tokens, and system metadata.
The use of Remote Dynamic Dependencies (RDD) is what makes the activity stand out. The "package.json" metadata file specifies a dependency at a custom HTTP URL, which lets the operators change the malicious code on the fly and avoid inspection. At first, the packages were linked to the PhantomRaven campaign, but the application security company later said they were made by a security researcher as part of a real experiment.
The company disagreed, pointing to three red flags.
