Listen to this Post

Introduction:
The GlassWorm campaign has escalated, with 73 newly identified malicious “sleeper” extensions discovered on the Open VSX marketplace in April 2026. This attack marks a dangerous shift where threat actors publish benign-looking extensions to build trust, only to later update them remotely with malware that steals source code, SSH keys, and cloud credentials. Addressing this threat requires a complete rethinking of developer environment security, moving from reactive scanning to proactive, layered defenses.
Learning Objectives:
- Understand how sleeper extensions exploit automatic updates to deliver malware after gaining developer trust.
- Learn to manually audit installed VS Code extensions using native commands, security tools, and threat feeds.
- Implement proactive defenses including publisher verification, permission analysis, and containerized installation.
You Should Know:
- Malicious Sleeper Extensions: The Art of the Delayed Attack
Traditional malware detection fails against sleeper extensions because these packages contain no malicious code when first installed. Researchers discovered that threat actors use freshly created GitHub accounts to clone popular extensions — copying icons, descriptions, and even README files — then publish them to the Open VSX marketplace. At least six of the 73 new extensions have already been “activated” to deliver payloads via normal update paths.
How It Works:
- The extension initially functions as a harmless clone, building download momentum.
- Weeks later, the attacker pushes an update through the legitimate marketplace pipeline.
- The update adds obfuscated JavaScript that self-decodes and retrieves a malicious VSIX payload from GitHub, installing it via command line.
- Alternatively, hidden .node binaries inside the extension download and execute malware for IDEs like VS Code and Cursor.
Indicators of compromise currently include GitHub URLs such as `github[.]com/SquadMagistrate10/wnxtgkih` and malicious SHA256 hashes like 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168.
- Manual Extension Audit: From VSCE Verification to Command-Line Inventory
Microsoft’s `vsce` CLI tool verifies the digital signature chain of any VSIX package, confirming it hasn’t been tampered with since publication. To audit manually, first install the tool globally using Node.js: npm install -g vsce. Then download the target extension from a constructed URL pattern and verify its signature:
Download extension by constructing direct Marketplace download URL Replace publisher, name, and version accordingly VSIX_URL="https://marketplace.visualstudio.com/_apis/public/gallery/publishers/PUBLISHER_NAME/vsextensions/EXTENSION_NAME/VERSION/vspackage" curl -L -o suspicious.vsix "$VSIX_URL" Verify digital signature chain vsce verify suspicious.vsix Expected output includes "Signature is valid" - any certificate errors indicate compromise.
For a lightweight inventory audit of your current environment, use these standard commands:
- Linux/macOS list all installed extensions with version and publisher: `code –list-extensions –show-versions`
– PowerShell (Windows) export a device-wide audit for analysis: `code –list-extensions | ForEach-Object { code –install-extension $_ –force }`
– Cross-platform enumeration of the actual extension files: `ls ~/.vscode/extensions` (Linux/macOS) or `dir %USERPROFILE%\.vscode\extensions` (Windows) - Check for suspicious “extensionDevelopmentPath” settings: `cat ~/.config/Code/User/settings.json | grep -i “extensionDevelopmentPath”` which can bypass normal installation.
3. Runtime Scanning and Active Defense Tools
Beyond static analysis, active defense tools provide ongoing protection against sleeper extension activation. UBEL is an open-source supply-chain firewall for VS Code that scans installed extensions in real-time using OSV’s vulnerability database and blocks malware through policy enforcement. Scan your extension directory directly with:
- Windows/Linux: `Ctrl+Alt+X` to execute UBEL’s extension scan, which writes an HTML report to
~/.vscode/extensions/.ubel/reports/latest.html.
VSX-Bastion implements a bastion-host pattern using Docker containers — each extension is installed inside a temporary, isolated container, scanned for malicious patterns, and only transferred to the host if clean. This containerization approach prevents malware from ever reaching your development machine. Quick setup:
git clone <VSX-Bastion-URL> && cd VSX-Bastion python3 -m venv venv && source venv/bin/activate or .\venv\Scripts\activate on Windows pip install -r requirements.txt python3 main.py --config extensions-list/whitelist.yaml
VSCan is a free web-based analyzer that scans extension code for hidden malware, obfuscated scripts, overly broad permissions, and malicious network endpoints without requiring any login. Developers have already used it to identify hundreds of vulnerabilities and sensitive data leaks including API keys, usernames, and passwords directly in published extensions. To use it with your own extension files:
Package any local extension folder into a VSIX for deep analysis npm install -g @vscode/vsce vsce package Then upload the resulting .vsix file to https://vscan.dev for comprehensive analysis
4. Permission Inspection and Workspace Trust Hardening
VS Code extensions declare their required permissions in the `package.json` manifest, and modern versions of VS Code support granular isolation through Web Worker execution mode. Before installing any extension, inspect its `activationEvents` for dangerous triggers.
Dangerous permission flags to check in package.json:
– `”activationEvents”: [“onStartupFinished”]` — runs immediately on VS Code launch without user interaction.
– `”capabilities”: {“untrustedWorkspaces”: {“supported”: true}}` — allows the extension to bypass Workspace Trust restrictions.
– Dependencies on child_process, net, or `fs` beyond what the extension’s functionality obviously requires.
To use experimental extension process isolation, add this to your settings.json:
"extensions.experimental.affinity": {
"suspicious.publisher": 2 // 2 = run in a separate, low-privilege Web Worker process
}
If the extension mysteriously breaks after enabling this, it likely relied on blocked Node.js core modules — a clear indicator of malicious intent.
5. Enterprise Policies and Supply-Chain Quarantine
Organizations must enforce centralized extension allowlisting to block unsigned or unvetted VS Code extensions. Microsoft provides Group Policy templates for Windows environments that restrict extension installation to an approved list. Implementation steps:
- Windows (Local Group Policy): Run
gpedit.msc, navigate to Computer Configuration → Administrative Templates → Visual Studio Code → Extensions, and enable “Configure list of allowed extensions.” - Linux/macOS (settings.json policy): Add the `extensions.allowed` configuration array with explicit publisher.name identifiers for approved extensions only.
- CI/CD pipeline audits: Integrate extension scanning into your build process — audit `~/.vscode/extensions` as part of your security pipeline and fail builds when unknown or malicious extensions are detected.
Additionally, implement secret rotation and short-lived credentials so that compromised developer workstations leak keys that are already invalid or quickly revoked.
6. Containerized Installation and Network Monitoring
The most robust defense against sleeper extensions is to never install them directly on your development machine at all. Use disposable dev environments:
- GitHub Codespaces: Each session provides a fresh, ephemeral environment with no persistence for malicious code.
- Docker-based dev containers: Define a `.devcontainer/devcontainer.json` that installs only pre-approved extensions and rebuilds from scratch after each session.
- VSX-Bastion’s container isolation: As detailed in Section 3, this approach fetches extensions in temporary Docker containers and performs behavioral analysis before host installation.
For network-layer detection, monitor egress traffic from IDE processes for unexpected connections to GitHub releases or other external hosts. Suspicious outbound connections from any extension host process should trigger immediate quarantine and investigation.
7. The Future of IDE Supply-Chain Security
The Eclipse Foundation, which maintains Open VSX, has announced staged pre-publish security checks that will flag name impersonation, accidentally published secrets, and known malicious patterns before new extensions go live. Microsoft’s Visual Studio Marketplace already runs multi-step vetting including sandboxed dynamic detection on every incoming VSIX file. However, detection alone cannot stop sleeper extensions — architectural changes are needed. The Open VSX registry is also working to revoke leaked tokens and strengthen publisher identity verification.
What Undercode Say:
- The fundamental flaw of IDE extension marketplaces is that trust signals (download counts, ratings, verified publisher badges) can be trivially forged and are not substitutes for code inspection.
- Sleeper extensions represent a strategic evolution in supply-chain attacks, exploiting the legitimate update mechanism to bypass all static malware scanning.
- Every developer workstation should be treated as a potential patient-zero vector for enterprise compromise, with network monitoring, containerized tooling, and strict extension allowlisting as baseline requirements.
Prediction:
In the next 12 months, expect Microsoft and the Eclipse Foundation to introduce cryptographic extension signing tied to hardware keys, sandboxed sub-process isolation for all extensions by default, and automated behavioral analysis for every automatic update. Sleeper attacks will shift from VS Code to AI coding assistants and CI/CD pipeline plugins, where the same delayed-update technique can poison build outputs rather than developer workstations. Organizations that fail to implement extension allowlisting today will experience IDE-borne breaches proportional to their developer headcount.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar 73 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


