Cyber Blog

Security researchers have identified a campaign involving 73 fake extensions for Visual Studio Code that are being used to distribute malware known as GlassWorm v2.

These extensions were uploaded to the Open VSX marketplace and are designed to closely resemble legitimate tools. Many imitate the names, icons, and descriptions of real extensions, making it difficult for developers to tell the difference.

Only a small portion of these extensions are immediately malicious. The majority are designed to appear harmless at first in order to gain user trust and increase downloads. Over time, they can be updated to include harmful features.

This activity is part of an ongoing operation called GlassWorm v2, which has been active since late 2025 and has already produced a large number of malicious components.

Once installed, the extensions can download additional payloads from external sources and install them across multiple development environments on a system. This means the threat is not limited to Visual Studio Code and can affect other development tools as well.

The malware is capable of stealing sensitive information, including login credentials, and can spread within development environments, posing a serious risk to both individual developers and organizations.

Researchers have also observed that attackers are improving their methods by using tactics such as creating look alike extensions and exploiting small naming differences. These techniques increase the chances that users will unknowingly install malicious software.