GlassWorm Returns: Malicious VS Code Extensions Hit Developer Supply Chain Again

A new wave of GlassWorm-laced extensions has surfaced in the Visual Studio Code marketplace, continuing a campaign that weaponizes the IDE’s extension ecosystem against developers. The malware rides into trusted developer environments through compromised or impersonated extensions, giving attackers a foothold inside the very machines that build and ship software downstream.

The attack pattern is familiar but increasingly effective: developer tooling sits upstream of every artifact a team produces, so a single poisoned extension can cascade into source code, build pipelines, and ultimately the products consumed by end users. VS Code’s marketplace, with its loose vetting relative to traffic volume, remains a soft target for this class of supply-chain abuse.

For security teams, the takeaway is that endpoint and EDR coverage on developer workstations is no longer optional, and extension allowlisting belongs alongside dependency pinning as a baseline control. Treating IDE plugins as untrusted code — because that’s what they are — is the only durable mitigation until marketplace operators tighten review.