The Sleeper in Your IDE: Unmasking the 73-Extension “GlassWorm” Espionage Campaign
Ddos 
A sophisticated cyber-espionage operation, dubbed the GlassWorm campaign, is rapidly expanding its footprint within the open-source community. Cybersecurity researchers at Socket are now tracking a new cluster of 73 impersonation extensions on the Open VSX marketplace, all linked to a persistent threat actor specialized in “sleeper” tactics.
This campaign targets popular integrated development environments (IDEs) including VS Code, Cursor, and Windsurf, turning trusted developer tools into delivery mechanisms for stealthy malware.
The most distinctive characteristic of GlassWorm is its use of sleeper extensions. These are malicious imposters published to marketplaces well before they are weaponized.
According to the Socket report, “A sleeper extension or package is a threat actor-controlled imposter that is published before it is weaponized. It may appear benign at first, often to build trust, downloads, or credibility, but can later be updated to deliver malware through the normal update path”.
By the time the malware is deployed, the extension may have already amassed thousands of downloads and a veneer of legitimacy, making the eventual infection significantly harder to detect.
The latest wave, which escalated in April 2026, involves cloned versions of popular extensions published by newly created GitHub accounts. Researchers noted a recurring pattern in the attacker’s infrastructure.
Accounts typically host only one or two public repositories. In each case, one repository remains empty and is named with a random eight-character string. At least six of the 73 identified extensions have already been activated to deliver live malware.
GlassWorm has evolved its delivery logic to evade traditional static analysis. Rather than placing malicious code directly in the extension’s JavaScript, many variants use platform-specific native modules (.node binaries) for Windows and macOS.
Socket’s analysis of the binary-based variants found a streamlined execution path: “The core logic is implemented in the bundled.node binary, not the JavaScript. These binaries contain embedded GitHub release URLs to .vsix files and include installation logic… targeting multiple IDEs”.
For variants that stay entirely in JavaScript, the campaign utilizes heavy obfuscation that decodes at runtime to retrieve payloads from secondary GitHub releases.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
