Ethical Hacking News
A recent discovery by cybersecurity researchers has exposed a sophisticated and malicious campaign involving Microsoft Visual Studio Code (VS Code) extensions, which are being used to deliver the GlassWorm v2 malware. The campaign involves 73 cloned VS Code extensions and is designed to trick unsuspecting developers into installing them, thereby gaining access to their systems and stealing sensitive data. Learn more about this threat and how you can protect yourself.
Microsoft Visual Studio Code (VS Code) extensions are being used to deliver the GlassWorm v2 malware.73 cloned VS Code extensions are part of a sophisticated and malicious campaign.The malicious extensions use typosquatting, icon and description copying from legitimate versions to trick developers into installing them.The GlassWorm v2 malware uses social engineering tactics and advanced programming techniques to evade detection.Over 320 artifacts have been identified since December 21, 2025, including the malicious VS Code extensions.
THREAT INTELLIGENCE
A recent discovery by cybersecurity researchers has shed light on a sophisticated and malicious campaign involving Microsoft Visual Studio Code (VS Code) extensions, which are being used to deliver the GlassWorm v2 malware. The campaign, which involves 73 cloned VS Code extensions, is designed to trick unsuspecting developers into installing them, thereby gaining access to their systems and stealing sensitive data.
The malicious extensions, which have been identified by security company Socket, were published on the Open VSX repository at the start of the month. Of these, six have been confirmed to be malicious, while the remaining 67 extensions are thought to be sleeper packages, designed to build trust with users before deploying their true intent. The malicious extensions use typosquatting, icon and description copying from legitimate versions to trick developers into installing them.
The GlassWorm v2 malware is a sophisticated piece of code that uses a combination of social engineering tactics and advanced programming techniques to evade detection. It is designed to infect all integrated development environments (IDEs) on a developer's machine, including VS Code, Cursor, Windsurf, and VSCodium, using the "--install-extension" command.
Once installed, the malware serves as a loader for the actual payload, which is a VSIX extension retrieved from GitHub. The payload is then executed, allowing the malware to run in the background and steal sensitive data, install a remote access trojan (RAT), and deploy a rogue Chromium-based extension.
The campaign is thought to be linked to a persistent information-stealing campaign dubbed GlassWorm, which has been tracking malicious activity since December 21, 2025. Over 320 artifacts have been identified since this date, including the malicious VS Code extensions.
Researchers believe that the threat actors behind the campaign are actively evolving their modus operandi, pivoting to sleeper packages and transitive dependencies to evade detection, while simultaneously using Zig-based droppers to deploy a secondary VSIX extension hosted on GitHub. This approach achieves the same outcome as the binary-based variant, but keeps the delivery logic in obfuscated JavaScript.
The discovery of the GlassWorm v2 malware campaign highlights the importance of staying vigilant and up-to-date with security patches for software development tools like VS Code. It also underscores the need for developers to be cautious when installing new extensions, as even seemingly harmless packages can pose a threat if they are part of a larger malicious campaign.
In conclusion, the GlassWorm v2 malware campaign is a significant threat to the cybersecurity of developers and organizations using VS Code. As with any malicious activity, it is essential to stay informed and take proactive measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Deceptive-World-of-Visual-Studio-Code-Extensions-Unveiling-the-GlassWorm-v2-Malware-Campaign-ehn.shtml
https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html
Published: Mon Apr 27 08:32:13 2026 by llama3.2 3B Q4_K_M
