Threat actors are abusing extension dependency relationships in the Open VSX registry to indirectly deliver malware in a new phase of the GlassWorm supply-chain campaign. Researchers at Socket said they have identified at least 72 additional malicious Open VSX extensions linked to the campaign since January 31, 2026. The extensions appear to target developers by posing as helpful tools, such as linters, formatters, database utilities, or integrations for AI coding assistants, while serving as delivery vehicles for a malware loader linked to the GlassWorm operation. “Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing ‘extensionPack’ and ...