GlassWorm Malware Plants 73 Sleeper Extensions in OpenVSX to Steal Crypto Wallets

Gate News message, April 28 — Security researchers have identified 73 malicious extensions planted by GlassWorm malware in OpenVSX’s registry, with six already activated to steal developers’ cryptocurrency wallets and credentials. The extensions were uploaded as fake copies of legitimate listings, with malicious code injected through later updates.

GlassWorm first emerged in October 2025, using invisible Unicode characters to hide code targeting crypto wallet data and developer credentials. The campaign has since spread across npm packages, GitHub repositories, Visual Studio Code Marketplace, and OpenVSX. In mid-March 2026, a major wave affected hundreds of repositories and dozens of extensions, prompting intervention from multiple security research groups. The attackers employ a delayed activation strategy, initially distributing clean extensions to build an install base before deploying malware through updates. Socket researchers identified three delivery methods: loading a second VSIX package from GitHub via CLI commands, deploying platform-specific compiled modules like .node files containing core malicious logic, and using heavily obfuscated JavaScript that decodes at runtime to download and install malicious payloads.

The threat extends beyond OpenVSX. On April 22, the npm registry briefly hosted a malicious version of Bitwarden’s CLI under the official package name for 93 minutes. The compromised package stole GitHub tokens, npm tokens, SSH keys, AWS and Azure credentials, and GitHub Actions secrets. Bitwarden, which serves over 10 million users across more than 50,000 businesses, confirmed the connection to a broader campaign tracked by Checkmarx researchers. Supply chain attacks exploit the time lag between package publication and content verification; Sonatype reported approximately 454,600 malicious packages infesting registries in 2025.

Socket recommends developers who installed any of the 73 flagged OpenVSX extensions rotate all secrets and clean their development environments. Security observers are monitoring whether the remaining 67 dormant extensions activate in coming days and whether OpenVSX implements stricter review controls for extension updates.