How can developers protect themselves from such supply chain attacks?

Developers should thoroughly vet third-party extensions, monitor for unusual behavior, and implement robust security measures to safeguard their development environments.

GlassWorm v2 Malware Targets VS Code Extensions in Supply Chain Attack

Cybersecurity researchers uncover 73 malicious VS Code extensions delivering GlassWorm v2 malware, emphasizing the need for vigilance in developer environments.

Published: April 28, 2026

Share this on:

Executive Summary

In April 2026, cybersecurity researchers identified 73 malicious Visual Studio Code (VS Code) extensions on the Open VSX repository, linked to the GlassWorm v2 malware campaign. These extensions, cloned from legitimate ones, initially appeared benign but later delivered malware through updates. Six extensions were confirmed malicious, while others acted as sleeper agents to build trust before deploying harmful payloads. The attackers employed social engineering tactics, such as typosquatting and mimicking legitimate extension icons and descriptions, to deceive developers into installing these compromised extensions. The malware aimed to steal sensitive data, install remote access trojans, and deploy rogue browser extensions to siphon credentials and other information. This incident underscores the evolving nature of supply chain attacks targeting developer environments and the importance of vigilance when installing third-party extensions. The use of sleeper packages and transitive dependencies highlights the need for robust security measures and thorough vetting processes to prevent such infiltrations.

Why This Matters Now

The GlassWorm v2 campaign highlights the increasing sophistication of supply chain attacks targeting developer tools, emphasizing the urgent need for enhanced security practices and vigilance in the software development community.

Attack Path Analysis

Attackers compromised the Open VSX repository by publishing 73 malicious Visual Studio Code extensions, leading to the installation of GlassWorm v2 malware on developers' systems. The malware escalated privileges to gain deeper access, moved laterally across the network, established command and control channels, exfiltrated sensitive data, and caused significant operational impact.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

Attackers published 73 malicious Visual Studio Code extensions on the Open VSX repository, leading to the installation of GlassWorm v2 malware on developers' systems.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1195.002

Compromise Software Supply Chain

Resource Development

T1588.001

Obtain Capabilities: Malware

Resource Development

T1608

Stage Capabilities

Execution

T1204.002

User Execution: Malicious File

Execution

T1059.007

Command and Scripting Interpreter: JavaScript

Defense Evasion

T1055

Process Injection

Collection

T1113

Screen Capture

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The presence of malicious VS Code extensions indicates a failure to protect system components from known vulnerabilities, potentially exposing cardholder data to unauthorized access.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in managing and securing third-party software components, leading to potential regulatory non-compliance.

DORA – ICT Risk Management Framework

Control ID: Article 5

The compromise of software supply chains highlights deficiencies in the ICT risk management framework, emphasizing the need for enhanced controls over third-party software to ensure operational resilience.

CISA ZTMM 2.0 – Applications and Workloads

Control ID: Pillar 3

The deployment of malicious extensions indicates a lapse in securing applications and workloads, underscoring the necessity for stringent controls and monitoring within a zero trust architecture.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in implementing appropriate cybersecurity risk management measures, particularly concerning the security of supply chains and third-party software components.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Direct exposure to GlassWorm v2 malware through compromised VS Code extensions targeting developers, enabling supply chain attacks and credential theft in software development environments.

Information Technology/IT

High risk from malicious VS Code extensions infiltrating development workflows, potentially compromising IT infrastructure through stolen credentials and lateral movement across enterprise networks.

Financial Services

Critical vulnerability as developers using infected extensions could expose sensitive financial data, violating PCI compliance requirements and enabling unauthorized access to banking systems.

Health Care / Life Sciences

Severe HIPAA compliance risks from compromised development tools potentially exposing patient data through infected VS Code extensions used in healthcare software development projects.

Sources

Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malwarehttps://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html
Verified

GlassWorm v2 - Sockethttps://socket.dev/supply-chain-attacks/glassworm-v2

Verified

GlassWorm malware hides in invisible open-source codehttps://www.scientificamerican.com/article/glassworm-malware-hides-in-invisible-open-source-code/

Verified

Frequently Asked Questions

GlassWorm v2 is a malware campaign that involves malicious Visual Studio Code extensions designed to steal sensitive data and deploy additional malware.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the malware's ability to escalate privileges, move laterally, establish command and control channels, and exfiltrate data, thereby reducing the attack's overall impact.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The initial compromise may not have been prevented by CNSF, as it focuses on post-compromise activities.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation could likely limit the malware's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely restrict the malware's lateral movement by monitoring and controlling internal traffic flows.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control may detect and limit unauthorized command and control communications by providing comprehensive monitoring across cloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic.

Impact (Mitigations)

By constraining the malware's ability to escalate privileges, move laterally, establish command and control channels, and exfiltrate data, CNSF would likely reduce the overall operational impact of the attack.

Impact at a Glance

Affected Business Functions

Software Development
Integrated Development Environments (IDEs)
Code Repositories

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Developer credentials, source code, and potentially sensitive project information.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Enhance East-West Traffic Security to monitor and control internal communications.
• Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

GlassWorm v2 Malware Targets VS Code Extensions in Supply Chain Attack

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Compromise Software Supply Chain

Obtain Capabilities: Malware

Stage Capabilities

User Execution: Malicious File

Command and Scripting Interpreter: JavaScript

Process Injection

Screen Capture

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Applications and Workloads

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads