{ "Event": { "analysis": "1", "date": "2026-04-25", "extends_uuid": "", "info": "[Threat Intel] 73 Open VSX Sleeper Extensions Linked to Malware Show New Activations", "protected": false, "publish_timestamp": "1779545714", "published": true, "threat_level_id": "3", "timestamp": "1779545714", "uuid": "a76fd9e6-a50a-47c5-8289-93dc5a1d997e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#201172", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#047df6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Target - T1608.004\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#76434a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Link Target - T1608.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Host Software Binary - T1554\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": false, "type": "link", "uuid": "992172f2-4259-4de0-b77a-9d68be62f3a2", "value": "https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": false, "type": "text", "uuid": "e27f54e5-2ea2-440c-9577-76acb43b7b52", "value": "The GlassWorm campaign targeting Open VSX has escalated with 73 newly identified impersonation extensions. These sleeper extensions were initially published without malicious payloads by newly created GitHub accounts, appearing benign to build trust and credibility. At least six extensions have been activated to deliver malware through normal update mechanisms. The extensions clone popular legitimate listings with similar branding, icons, and descriptions, making detection difficult. The threat actor has shifted delivery methods away from embedded loaders toward transitive delivery via extension dependencies, external payload retrieval from GitHub-hosted VSIX files, and native binary execution. Some variants use obfuscated JavaScript to decode and retrieve payloads at runtime. The malicious code targets multiple IDEs including VS Code, Cursor, Windsurf, and VSCodium, installing downloaded extensions through command-line interfaces." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": false, "type": "text", "uuid": "eabf6aae-7f38-419d-b3a8-ff3624812600", "value": "Name: 73 Open VSX Sleeper Extensions Linked to Malware Show New Activations\nAuthor: AlienVault\nAdversary: GlassWorm\nTags: [\"open vsx\", \"glassworm\", \"supply chain attack\", \"vsix payload\", \"impersonation\", \"sleeper extensions\", \"transitive delivery\", \"ide compromise\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1059.007\", \"T1195.001\", \"T1036.005\", \"T1204.002\", \"T1608.004\", \"T1140\", \"T1608.001\", \"T1036\", \"T1218\", \"T1608.005\", \"T1554\", \"T1059.001\", \"T1027\", \"T1573\", \"T1195.002\", \"T1071.001\", \"T1105\", \"T1102.001\"]\nIndustries: [\"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": false, "type": "threat-actor", "uuid": "95229204-c678-4bf8-a42f-00d76f2e08fc", "value": "GlassWorm" }, { "category": "Payload delivery", "comment": "Native Installer Binaries", "deleted": false, "disable_correlation": false, "timestamp": "1777629755", "to_ids": true, "type": "sha256", "uuid": "1ee4c684-64cf-43bc-ab34-6258644a66ab", "value": "4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": true, "type": "md5", "uuid": "20508ae4-7205-411c-ad88-a74d6ef0db9b", "value": "28d59940483fa3bea0599ce55aa86245" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345213", "to_ids": true, "type": "sha1", "uuid": "a474e9f2-677d-49c2-a0cf-c9798b5b195b", "value": "c074880abdbf87a9fd2e1393d4cb36c32f1f8f58" }, { "category": "Payload delivery", "comment": "Native Installer Binaries", "deleted": false, "disable_correlation": false, "timestamp": "1777629751", "to_ids": true, "type": "sha256", "uuid": "6b519d6f-9bad-4e8f-a92a-af02c9e68d8c", "value": "1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168" }, { "category": "Payload delivery", "comment": "Downloaded VSIX Payload", "deleted": false, "disable_correlation": false, "timestamp": "1777629761", "to_ids": true, "type": "sha256", "uuid": "2f1c4227-028b-4b16-ad8c-072b1b3f729d", "value": "97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629740", "to_ids": true, "type": "url", "uuid": "a70940f1-d81c-4403-a188-3b16bd3f024f", "value": "github.com/SquadMagistrate10/wnxtgkih" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629740", "to_ids": true, "type": "url", "uuid": "586e052d-67dc-46ec-b8b0-775995962578", "value": "github.com/francesca898/dqwffqw" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629740", "to_ids": true, "type": "url", "uuid": "9dc095ce-2817-4355-8690-847ad4c2ac10", "value": "github.com/ColossusQuailPray/oiegjqde" } ] } }