Security researchers have shared details of a malware attack targeting macOS. The Threat Research team at Socket identified a new GlassWorm attack which uses compromised Open VSX extensions.
The extensions have been installed thousands of times, and come from the account from a legitimate developer whose account was compromised. Similar attacks have been taking place since October last year, but recent activity shows there is an uptick in this approach.
Writing about its findings, Socket says that its “Threat Research team identified a developer-compromise supply chain attack distributed via the Open VSX Registry, specifically a compromise of the developer’s publishing credentials. The Open VSX security team assessed the activity as consistent with a leaked token or other unauthorized access”.
The latest activity shows that while, broadly speaking, the attack vector remains the same, the current breed of GlassWorm attack take a slightly different approach. By targeting a known developer, it is easier to slip under the radar.
Socket says that it has been in contact with the developers to highlight the issue. It adds:
Across all four extensions, the malicious update introduces staged loaders that decrypt and execute embedded code at runtime, includes Russian-locale avoidance, resolves command and control (C2) pointers from Solana transaction memos, and then executes additional remote code.
This tradecraft aligns with the recent GlassWorm cluster we have been tracking internally since December 2025. In that work, we identified and reported earlier malicious Open VSX extensions tied to the same staging and blockchain-resolved infrastructure patterns, which reduce reliance on static indicators and enable rapid server-side updates.
Socket concludes by saying:
