73 Fake VS Code Extensions Discovered

Cybersecurity researchers have discovered a group of 73 fake extensions for Microsoft Visual Studio Code (VS Code) in the Open VSX Repository. These extensions are part of an ongoing information theft campaign known as GlassWorm. The researchers found that most of these extensions are clones of their legitimate counterparts, making it difficult to identify the threat. Of the 73 identified extensions, six were classified as malicious. These malicious extensions are designed to steal sensitive information from users.

The remaining extensions appear harmless at first glance but could serve as part of a larger strategy to spread malware. The GlassWorm campaign aims to collect data from developers and users who utilize VS Code. Researchers warn that the use of fake extensions is a growing problem, as they are often hard to distinguish from legitimate extensions. The malicious extensions could infiltrate development environments by providing fake features or by spying on user data. The security researchers have identified the fake extensions across various categories, including tools for web development and data analysis.

This variety indicates that the attackers are attempting to target a broad spectrum of developers. The use of fake extensions is not new; however, the number of discovered cases has increased in recent months. To protect users, experts recommend installing extensions only from trusted sources. Microsoft has already taken measures to enhance security in the Open VSX Repository, including regular audits and the implementation of security protocols to identify and remove malicious content.

The researchers also noted that the malicious extensions are often accompanied by fake ratings and positive feedback to gain user trust. This further complicates the identification of the threat. Users should therefore exercise caution and thoroughly review extensions before installation. The GlassWorm campaign exemplifies the increasing complexity of cyberattacks in 2026. Attackers are employing ever more sophisticated methods to achieve their goals.

The discovery of these fake extensions underscores the need for developers to stay informed about current threats and to follow security practices. The researchers have documented the malicious extensions in a database that is regularly updated. This database aims to help developers stay informed about known threats and protect their development environments. The security landscape in software development remains tense, and researchers warn of further attacks in the future. The vulnerability exploited by the GlassWorm campaign could potentially affect millions of users who utilize VS Code. Microsoft has announced that they will provide an update by the end of May 2026 to address the security vulnerabilities.