Pour yourself a dram of something dark and let the hype fade away. GlassWorm is back, threading its way through OpenVSX with three new VSCode extensions that look perfectly innocent until you realize they might be weaponized. The same campaign that tainted the OpenVSX and Visual Studio Code marketplaces last month has resurfaced, offering a fresh set of extensions that have already been downloaded more than 10,000 times. Yes, in the time it takes you to scold your firewall for not catching this, a dozen analysts will have clicked install by accident in some dev shop.
What happened
The GlassWorm malware campaign is back in the wild, this time hitching rides on three new VSCode extensions in the OpenVSX marketplace. The pattern is depressingly familiar: legitimate looking tooling, minimal friction, and a payload that quietly phones home or executes arbitrary code once the user grants permissions. It proves once again that the weakest link in modern software delivery is not the code you write, but the code you import with a click and a smile.
Why this should make you shrug and reach for the whiskey
Because this is not a one off, this is the new normal. Open source extension ecosystems are a smorgasbord of trust and fear, a place where thousands of developers rely on a handful of publishers and a couple of verification steps that look impressive on a slide deck. The result is a marketplace that feels convenient and cheap until your data starts singing in a language you do not recognize. Vendors will tell you this is a “marketplace risk,” CISOs will nod and pretend their SOCs can catch it, and IT teams will pretend this is someone else’s problem while they redeploy the same extensions again next week.
What to do about it
First, acknowledge that the ecosystem has not earned blanket trust. Use SBOMs and publisher verification where possible, and stop pretending that a shiny store page equals safe code. Restrict extension installations to trusted sources, and consider disabling or tightly controlling remote code execution and telemetry for extensions in high risk environments. Audit what extensions are installed, who published them, and what permissions they request. If you can, test extensions in isolated sandboxes before broad rollout and monitor for anomalous network activity or unexpected payloads. Finally, keep your whiskey glass full and your alerting loud, because the cycle will repeat until the underlying governance improves.
Read the original article here for the details and the links to the three extensions: GlassWorm malware returns on OpenVSX with 3 new VSCode extensions
