Cybersecurity experts have uncovered a supply chain compromise targeting the Open VSX Registry, where unknown attackers abused a legitimate developer’s account to distribute malicious updates to unsuspecting users.
According to findings from Socket, the attackers infiltrated the publishing environment of a trusted extension author and used that access to release tainted versions of widely used tools.
"On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader," Socket security researcher Kirill Boychenko said in a Saturday report.
The compromised extensions had long been considered safe and were positioned as genuine developer utilities, with some having been available for more than two years.
"These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."
Socket noted that the incident stemmed from unauthorized access to the developer’s publishing credentials. The Open VSX security team believes the breach may have involved a leaked access token or similar misuse of credentials. All affected versions have since been taken down from the registry.
Impacted extensions include:
- FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
- I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
- vscode mindmap (oorzc.mind-map — version 1.0.61)
- scss to css (oorzc.scss-to-css-compile — version 1.3.4)
The malicious updates were engineered to deploy GlassWorm, a loader malware linked to an ongoing campaign. The loader decrypts and executes payloads at runtime and relies on EtherHiding—a technique that conceals command-and-control infrastructure—to retrieve C2 endpoints. Its ultimate objective is to siphon Apple macOS credentials and cryptocurrency wallet information.
Before activating, the malware profiles the infected system and checks locale settings, avoiding execution on systems associated with Russian regions, a behavior often seen in malware tied to Russian-speaking threat groups.
The stolen data spans a broad range of sensitive assets, including browser credentials, cryptocurrency wallets, iCloud Keychain data, Safari cookies, Apple Notes, user documents, VPN configurations, and developer secrets such as AWS and SSH credentials.
The exposure of developer-related data is particularly dangerous, as it can lead to deeper enterprise breaches, cloud account takeovers, and lateral movement across networks.
"The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation," Boychenko said.
What sets this incident apart is the delivery method. Instead of relying on fake or lookalike extensions, the attackers leveraged a real developer’s account to push the malware—an evolution from earlier GlassWorm campaigns that depended on typosquatting and brand impersonation.
"The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions," Socket said. "These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response."
