Meta News

By MSB

A new cybersecurity investigation has sounded the alarm in the developer community: at least 73 fake Visual Studio Code extensions have been identified as part of an active malware campaign targeting development environments.

The finding, published by researchers and distributed by The Hacker News, reveals a sophisticated operation that uses extension repositories to infiltrate malicious code into tools that millions of programmers use daily.

The detected extensions are clones of legitimate tools: they copy names, icons, and descriptions to deceive users and generate trust.

Of the 73 identified, at least six contain active malicious code, while the rest act as “sleeper packages”, designed to appear harmless until they receive a subsequent malicious update.

This approach allows attackers to build credibility before executing the attack, avoiding initial suspicion.

The campaign has been linked to an operation known as GlassWorm v2, an evolution of previous attacks that had already compromised hundreds of packages since late 2025.

The mechanism is particularly concerning:

• The extensions act as initial loaders
• They download a second malicious extension from external repositories
• They install the malware in multiple development environments (VS Code, Cursor, VSCodium, among others)

This turns a single point of entry into a cross-infection across the developer's entire machine.

The ultimate goal of the attack is clear: gaining persistent access and sensitive data.

According to the researchers, the malware can:

• Steal credentials, tokens, and system data
• Install a remote access trojan (RAT)
• Deploy malicious extensions in browsers to extract additional information

Furthermore, the code is designed to evade detection and prevent execution in certain countries, which indicates a high level of planning.

This type of campaign confirms a growing trend in cybersecurity: attackers are shifting their focus towards developers and their tools.

Development environments contain critical assets—such as SSH keys, access tokens, and source code—making them high-value targets.

Instead of attacking final applications directly, cybercriminals seek to compromise the supply chain from its origin.

The incident exposes weaknesses in extension ecosystems:

• Lack of strict controls in marketplaces
• Ability to execute code with broad privileges
• Automatic updates that can introduce malware without user intervention

These features, designed to facilitate development, also expand the attack surface.

The discovery of these 73 fake extensions is not an isolated incident, but a sign of change in the threat landscape.

Security no longer depends solely on the code written by developers, but also on the code they install without questioning.

In an environment where a simple extension can compromise an entire system, trust has become the most exploited attack vector.