Cybersecurity researchers recently identified a supply chain attack on the Open VSX Registry where hackers hijacked a developer’s account to distribute malicious updates. These updates contained the GlassWorm malware loader, targeting over 22,000 users who had previously downloaded the legitimate versions of these developer tools.
A significant breach has been discovered involving the Open VSX Registry, an open-source alternative to the VS Code Marketplace, where four established extensions were weaponized by threat actors. On January 30, 2026, malicious versions of tools published by a developer known as oorzc were released to unsuspecting users. These extensions, which included utilities for SSH syncing and CSS compiling, had been considered safe for over two years before the compromise occurred.
The attack was made possible through the theft of the developer’s publishing credentials, likely via a leaked token or unauthorized account access. Once the attackers gained control, they pushed updates that embedded a sophisticated malware loader known as GlassWorm. Security firm Socket reported that the malicious versions were quickly identified and removed from the registry, but not before the poisoned code reached a portion of the developer’s large user base.
The technical execution of the GlassWorm malware involved high levels of obfuscation and modern evasion techniques. Specifically, the loader utilized a method called EtherHiding, which hides command-and-control instructions within blockchain transactions to avoid detection by traditional security software. By fetching instructions from these decentralized sources, the malware ensures its communication with the attackers remains resilient and difficult to block.
The primary objective of this specific campaign appeared to be financial theft and credential harvesting. Once the malware was active on a victim’s machine, it was programmed to decrypt and execute code designed to steal sensitive data from Apple macOS systems. The researchers noted that the scripts focused heavily on extracting cryptocurrency wallet information and system-level credentials, posing a severe risk to developers and organizations using the affected tools.
This incident highlights the growing trend of supply chain vulnerabilities where the trust built by legitimate developers is exploited for malicious gains. Even though the Open VSX security team has purged the infected versions of the FTP, I18n, mindmap, and scss tools, the event serves as a reminder of the risks inherent in third-party extension ecosystems. Users are encouraged to verify their extension versions and rotate any credentials that may have been exposed during the period of infection.
Source: Open Vsx Supply Chain Attack Used Compromised Account To Spread Glassworm