Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Published on February 2, 2026
Key Takeaways
- Registry Infiltration: Threat actors successfully compromised a developer account on the Open VSX registry to publish malicious updates.
- Malware Deployment: Four widely used extensions delivered GlassWorm malware, a sophisticated payload designed to exfiltrate sensitive data from developer workstations.
- Data Theft: The compromised extensions also focused on stealing macOS credentials and wallets.
An Open VSX supply chain attack involving the distribution of malware through the Eclipse Foundation's registry specifically targets the software supply chain by infiltrating the environments of developers, who often have high-level access to corporate networks and production infrastructure.
Attackers gained unauthorized access through a compromised developer account, enabling them to upload four weaponized extension versions. These malicious oorzc updates appeared legitimate but contained a hidden loader identified as GlassWorm malware.
GlassWorm Malware Capabilities and Impact
Upon installation of the compromised extension, the GlassWorm malware executes silently in the background. Technical analysis by Socket reveals that GlassWorm is designed for persistence and data theft.
The four impacted extensions are:
- FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — v0.5.1)
- I18n Tools (oorzc.i18n-tools-plus — v1.6.8)
- vscode mindmap (oorzc.mind-map — v1.0.61)
- scss to css (oorzc.scss-to-css-compile — v1.3.4)
The attacker avoided Russian-language or Russia-adjacent systems, used Solana transaction memos as a dead drop for next-stage configuration, and focused on macOS credential, session, and wallet theft, including FortiClient VPN configurations.
Mitigation and Supply Chain Security
The compromised extensions have been removed from the registry, but organizations utilizing extensions from Open VSX or similar marketplaces should immediately audit their installed plugins for signs of tampering.
Security professionals recommend:
- Rotating credentials.
- Adding supply chain controls and use the Socket GitHub app to gate dependency changes in pull requests.
- Using the Socket CLI in install workflows.
- Using the Socket browser extension to surface registry risk signals during discovery and installation.
These findings align with an early January report from Koi Security that said the GlassWorm malware evolved to specifically target macOS systems, accumulating 50,000 downloads through malicious Open VSX extensions.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular