A serious supply-chain attack has been uncovered on the Open VSX extension registry, a platform widely used by developers to download and manage coding extensions. In this incident, attackers compromised a legitimate developer account and used it to publish malicious updates. The attack relied on abusing existing trust rather than exploiting the platform itself. This made the threat difficult to notice at an early stage.

Open VSX extension registry logo associated with a recent supply chain security incident.

The incident took place on January 30, 2026, when four popular extensions were updated with hidden malicious code. These extensions had been trusted and used by developers for more than two years. Because the updates came from a real developer account, they appeared completely normal. Before detection, the infected extensions were downloaded over 22,000 times.

All four affected extensions were published under the developer name “oorzc” and were common utility tools used in daily development work. Many users already had these extensions installed on their systems. As a result, the malware spread automatically through routine updates. Users were unaware that anything harmful had been installed.

Digital chain breaking apart symbolizing a software supply chain attack caused by compromised developer credentials.

The malicious updates delivered a malware loader known as GlassWorm. This malware is designed to operate quietly in the background while avoiding detection. It uses advanced techniques to hide harmful code inside legitimate-looking files. Because of this, even experienced developers may not notice its presence.

Once active, GlassWorm is capable of stealing sensitive information from infected systems. This includes developer credentials, access tokens, and authentication data. It can also scan browsers to extract saved information and target cryptocurrency wallet extensions. Such data can later be abused for further attacks or financial theft.

Malicious code hidden inside a trusted Open VSX extension update displayed on a developer’s laptop.

GlassWorm can also install hidden remote-access components on infected machines. This allows attackers to secretly control systems without the user’s knowledge. In addition, the malware can turn compromised devices into proxy servers. These proxies can be used to route malicious traffic and hide the attacker’s real location.

Security investigations confirmed that the attackers gained access by stealing the developer’s publishing credentials. There is no indication that Open VSX itself was directly breached. Once the malicious activity was identified, the affected extensions were removed from the registry. Compromised access tokens were revoked to stop further damage.

Cybersecurity lock over digital circuits representing stolen developer credentials used to spread GlassWorm malware.

This incident highlights the increasing risk of supply-chain attacks in modern software development. Developers often trust third-party tools and automatic updates. A single compromised account can impact thousands of users. Experts recommend rotating credentials, reviewing installed extensions, and using strong authentication to reduce future risks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news