GlassWorm Supply Chain: Detecting Malicious Open VSX Extensions

The latest Security Affairs Malicious Software Newsletter (Round 95) highlights a concerning development in the software supply chain landscape: the activation of "sleeper" extensions. Researchers have linked 73 malicious extensions on the Open VSX marketplace to the GlassWorm threat actor.

Unlike traditional malware that requires a phishing lure or exploit, these threats burrow into the core tools developers use daily—Visual Studio Code (VS Code) and compatible editors. Because Open VSX is an open-source registry used by various IDEs, this compromise extends beyond the Microsoft ecosystem, posing a significant risk to organizations relying on automated extension provisioning. The "activation" of these sleepers suggests that the dormant phase is over, and active data theft or system compromise may be underway.

Technical Analysis

Affected Platform: Visual Studio Code (and any IDE utilizing the Open VSX registry, such as Eclipse Theia or VSCodium).

Threat Vector: Supply Chain Compromise via Malicious Extensions.

Attack Chain:

Infection: Developers install a compromised extension from the Open VSX marketplace. These extensions often mimic popular tools (themes, linters, or utilities) to gain installation trust.
Persistence: Once installed, the extension executes within the privileged context of the IDE. It gains access to the file system, environment variables, and often the terminal capabilities of the host machine.
**Activation ("GlassWorm"):

Detection & Response

SIGMA Rules

The following Sigma rules target the abnormal behavior of malicious VS Code extensions. Legitimate extensions rarely spawn standard system shells or make arbitrary network connections to non-Microsoft/non-GitHub domains.

YAML

---
title: VS Code Extension Host Spawning System Shell
id: 8f4c3d21-1a5b-4c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects when a VS Code extension host process (typically node.exe) spawns a command shell or PowerShell. This is a common TTP for malicious extensions gaining execution.
references:
  - https://securityaffairs.com/191623/malware/security-affairs-malware-newsletter-round-95.html
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe' # Extension host often runs as node
    ParentCommandLine|contains:
      - 'vscode' # Context of VS Code
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate debugging extensions or developer tools utilizing terminals (rare for extension host to spawn directly).
level: high
---
title: VS Code Extension Process Suspicious Network Connection
id: 9a5f1e22-2b6c-5d9e-0f1a-2b3c4d5e6f7g
status: experimental
description: Detects network connections initiated by VS Code extension host processes to non-standard external endpoints, indicative of C2 beacons or data exfiltration.
references:
  - https://securityaffairs.com/191623/malware/security-affairs-malware-newsletter-round-95.html
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
    InitiatingProcessCommandLine|contains:
      - '.vscode'
  filter_legit:
    DestinationHostname|endswith:
      - '.microsoft.com'
      - '.microsoftonline.com'
      - '.github.com'
      - '.visualstudio.com'
      - '.azureedge.net'
      - '.vscode-unpkg.net'
  condition: selection and not filter_legit
falsepositives:
  - Extensions connecting to known cloud APIs (AWS, Google) that are not in the filter list. Update filters as needed.
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious child processes spawned by VS Code Extension Host
DeviceProcessEvents
| where InitiatingProcessFileName =~ "node.exe"
| where InitiatingProcessCommandLine has ".vscode"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe", "wsl.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc


// Hunt for suspicious network connections from Extension Host
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "node.exe"
| where InitiatingProcessCommandLine has ".vscode"
| where not(RemoteUrl has_any ("microsoft.com", "github.com", "vscode-unpkg.net", "azureedge.net"))
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the installed extensions to enable manual audit of the package. contents, looking for suspicious scripts or obscure dependencies.

VQL — Velociraptor

-- Hunt for installed VS Code extensions
SELECT FullPath,
       Mtime,
       Size
FROM glob(globs='/*/.vscode/extensions/*/package.')
-- In a real investigation, you would parse the JSON to check for 'contributes' or 'scripts'

Remediation Script (PowerShell)

This script assists in enumerating installed extensions for auditing and provides a method to remove extensions by identifier (if identified as malicious).

PowerShell

# Audit VS Code Extensions
Write-Host "[+] Enumerating installed VS Code extensions..." -ForegroundColor Cyan

$UserPath = "$env:USERPROFILE\.vscode\extensions"
$SystemPath = "$env:ProgramFiles\Microsoft VS Code
esources\app\extensions"

if (Test-Path $UserPath) {
    $Extensions = Get-ChildItem -Path $UserPath -Directory
    foreach ($Ext in $Extensions) {
        $Manifest = "$($Ext.FullName)\package."
        if (Test-Path $Manifest) {
            $Data = Get-Content $Manifest | ConvertFrom-Json
            Write-Host "Name: $($Data.displayName) - Publisher: $($Data.publisher.name) - ID: $($Data.name)" -ForegroundColor White
            Write-Host "  Path: $($Ext.FullName)"
            Write-Host "  Version: $($Data.version)"
        }
    }
}

# Remediation: Uninstall extension (Manual Step Placeholder)
# Use the command: code --uninstall-extension <extension-id>
# Example:
# Start-Process "code" -ArgumentList "--uninstall-extension", "publisher.extensionName" -Wait

Remediation

Audit and Inventory: Immediately inventory all extensions currently installed across developer workstations and build agents. Compare the list of installed extension IDs (publisher.extensionName) against the indicators of compromise (IOCs) provided by threat intelligence feeds regarding the 73 identified Open VSX extensions.
Removal of Malicious Extensions: If a malicious extension is identified, remove it immediately using the VS Code CLI: code --uninstall-extension <publisher.extensionName>.
Review Open VSX Usage: If your organization allows the use of the Open VSX registry (common in Linux or open-source-focused environments), consider enforcing a whitelist of allowed extensions or blocking access to open-vsx.org in favor of a strictly curated internal marketplace proxy.
Update Marketplace Settings: Ensure VS Code instances are configured to only allow extensions from the trusted marketplace by default if policy allows, reducing the risk of typosquatting on alternative registries.
Scan Artifacts: Run the provided Velociraptor artifact or PowerShell script across endpoints to ensure no remnants of the malicious extension files persist in the .vscode/extensions directory.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub