GlassWorm Malware Returns via Cloned Open VSX Browser Extensions
The Resurgence of GlassWorm Malware: Compromising Open VSX Extensions
In a recent development, researchers at Socket have identified a cluster of 73 suspicious Open VSX extensions linked to the notorious GlassWorm malware campaign.
These extensions, designed to mimic popular listings, pose a significant risk to users who install them, potentially compromising their credentials, sensitive information, and cryptocurrency.
This deliberate attempt to evade detection highlights the sophistication of the attackers. At least six of the extensions have already been activated, and the number is expected to grow as new updates emerge.
A Return to Past Tactics
This resurgence of GlassWorm marks a return to the tactics employed during its initial appearance in the Open VSX registry in October 2025.
In that instance, a dozen extensions were deployed without an apparent payload, only to be later updated to deliver malware through the standard extension update mechanism.
Complexity in Detection
The current wave follows a similar pattern, with the added complexity of combining multiple delivery methods to complicate detection.
Socket’s research reveals that the extensions employ a cloning strategy, mimicking legitimate listings of popular extensions.
This tactic creates a false sense of familiarity and trust among users, who are more likely to install extensions bearing recognizable names and icons.
This approach underscores the need for robust security measures, particularly within the Open VSX ecosystem, to mitigate such threats.
As the investigation continues, it remains to be seen how widespread the impact of this resurgence will be and what steps can be taken to prevent further compromises.
In the meantime, users are advised to exercise extreme caution when installing extensions, even if they appear trustworthy.