Gate News message, April 28 — Security researchers have identified 73 malicious extensions planted by GlassWorm malware in OpenVSX’s registry, with six already activated to steal developers’ cryptocurrency wallets and credentials. The extensions were uploaded as fake copies of legitimate listings, with malicious code injected through later updates.
GlassWorm first emerged in October 2025, using invisible Unicode characters to hide code targeting crypto wallet data and developer credentials. The campaign has since spread across npm packages, GitHub repositories, Visual Studio Code Marketplace, and OpenVSX. In mid-March 2026, a major wave affected hundreds of repositories and dozens of extensions, prompting intervention from multiple security research groups. The attackers employ a delayed activation strategy, initially distributing clean extensions to build an install base before deploying malware through updates. Socket researchers identified three delivery methods: loading a second VSIX package from GitHub via CLI commands, deploying platform-specific compiled modules like .node files containing core malicious logic, and using heavily obfuscated JavaScript that decodes at runtime to download and install malicious payloads.
The threat extends beyond OpenVSX. On April 22, the npm registry briefly hosted a malicious version of Bitwarden’s CLI under the official package name for 93 minutes. The compromised package stole GitHub tokens, npm tokens, SSH keys, AWS and Azure credentials, and GitHub Actions secrets. Bitwarden, which serves over 10 million users across more than 50,000 businesses, confirmed the connection to a broader campaign tracked by Checkmarx researchers. Supply chain attacks exploit the time lag between package publication and content verification; Sonatype reported approximately 454,600 malicious packages infesting registries in 2025.
Socket recommends developers who installed any of the 73 flagged OpenVSX extensions rotate all secrets and clean their development environments. Security observers are monitoring whether the remaining 67 dormant extensions activate in coming days and whether OpenVSX implements stricter review controls for extension updates.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Robinhood Users Targeted by Phishing Campaign Exploiting Gmail Dot Alias Feature
Gate News message, April 28 — Robinhood users have been targeted by a phishing campaign that exploited Gmail's "dot alias" feature alongside weaknesses in the platform's account creation process. Attackers registered fake Robinhood accounts with slightly altered email addresses, leveraging Gmail's b
GateNews33m ago
Crypto Hacks Have Stolen $17.1 Billion Over Past Decade Across 518 Incidents
Gate News message, April 28 — Cumulative losses from crypto hacks over the past decade have reached $17.1 billion across 518 incidents, according to ChainCatcher data.
The past five years accounted for $15.2 billion in losses from over 450 incidents, while the past year saw approximately $2.5 billi
GateNews9h ago
AI-Powered Crypto Scam Drains Senior's $300K Retirement Savings; FBI Reports $11B in Crypto Fraud Losses for 2025
Gate News message, April 28 — Kyle Holder, a 73-year-old from New York, lost her entire $300,000 retirement savings to an AI-driven crypto investment scam that began in December 2024. After responding to an unsolicited WhatsApp message advertising a crypto investment course, she was connected with s
GateNews10h ago
French Authorities Indict 88 Over Surge in Violent Crypto 'Wrench Attacks'
Gate News message, April 28 — French authorities have indicted 88 people following a surge in violent crypto-related kidnappings known as "wrench attacks." Named after a popular xkcd webcomic, wrench attacks involve criminals using violence, intimidation, or confinement to compel crypto holders to r
GateNews10h ago
ZetaChain Pauses Cross-Chain Transactions After Smart Contract Attack
Layer 1 network ZetaChain has paused cross-chain transactions on its mainnet after identifying an attack on its GatewayEVM contract, according to The Block. The incident impacted only internal ZetaChain team wallets, with no user funds affected, the team stated. According to DefiLlama data, $300,000
CryptoFrontier12h ago
SUNX Issues Warning Against Fraudulent Impersonation and Phishing Schemes
Gate News message, April 28 — Derivatives trading platform SUNX released an official statement warning against counterfeit platforms impersonating the brand. According to the announcement, fraudsters have recently been using unofficial Chinese translations such as "孙克斯" (Sunke Si) and "森克斯" (Senke S
GateNews13h ago
