Cybersecurity researchers have uncovered a supply chain attack targeting the Open VSX Registry, where threat actors hijacked a legitimate developer’s account to distribute malicious updates through trusted extensions.
According to a report published by Socket, four Open VSX extensions maintained by the “oorzc” developer were compromised on January 30, 2026. The malicious updates embedded the GlassWorm malware loader and were pushed to users through normal update mechanisms. The affected extensions had been available for more than two years in some cases and had collectively amassed over 22,000 downloads before the attack was detected.
Socket said the attack stemmed from the compromise of the developer’s publishing credentials, with Open VSX security officials assessing that a leaked token or other unauthorized access was likely involved. The malicious versions have since been removed from the registry.
The malicious extensions were designed to deploy GlassWorm, a loader capable of decrypting and executing payloads at runtime while using the EtherHiding technique to retrieve command-and-control (C&C) infrastructure. The malware focused on macOS systems, stealing browser data, cryptocurrency wallet information, iCloud Keychain data, Apple Notes, user documents, VPN configurations, and developer credentials such as AWS and SSH keys. Researchers noted that the malware avoids execution on systems associated with Russian locales, which is commonly seen in malware linked to Russian-speaking threat actors.
“This incident also differs materially from GlassWorm activity previously documented. Earlier waves largely relied on typosquatting and brandjacking, cloning or mimicking popular developer tools and attempting to appear trustworthy by artificially inflating download counts,” the researchers noted. “By contrast, these four extensions were published under an established publisher account with a multi-extension history and meaningful adoption signals across ecosystems.”