Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe

1. Pro
2. Security

Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe News By Sead Fadilpašić published 3 February 2026

GlassWorm malware is expanding to open source platforms

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• GlassWorm malware campaign expanded from VS Code Marketplace to Open VSX
• Four compromised extensions delivered macOS infostealer stealing browser data, wallets, and keychain info
• Extensions downloaded 22,000 times; attackers excluded Russian systems, hinting at Russian origin

GlassWorm, the malware campaign which targeted VS Code developers on Microsoft’s official Visual Studio Code marketplace, has now expanded to open source alternatives, experts have claimed.

Recently, security researchers Socket said they discovered four extensions in Open VSX, an open, vendor-neutral marketplace for editor extensions (mainly used by developers who work with VS Code-compatible editors).

These extensions started off as benign, but have been compromised at one point, and used to deliver an infostealer to MacOS users in typical supply-chain attack style. Here is the list of the compromised extensions:

You may like

• Glassworm returns once again with a third round of VS code attacks
• Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware
• Malicious Microsoft VSCode AI extensions might have hit over 1.5 million users

oorzc.ssh-tools v0.5.1

oorzc.i18n-tools-plus v1.6.8

oorzc.mind-map v1.0.61

oorzc.scss-to-css-compile v1.3.4

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Cleaning up after the attack

They were updated to include malware on January 30, after staying legitimate for roughly two years.

The malware loads a macOS infostealer that harvests sensitive data from browsers (Firefox and Chromium), cryptocurrency wallet extensions and apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem.

Everything is then exfiltrated to an attacker-owned server.

You may like

• Glassworm returns once again with a third round of VS code attacks
• Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware
• Malicious Microsoft VSCode AI extensions might have hit over 1.5 million users

In total, the extensions were downloaded 22,000 times, the researchers said, hinting at a relatively successful campaign. What’s more, the campaign targets exclusively macOS devices, while excluding Russian-locale systems, which could mean the attackers are of Russian origin.

Socket notified Open VSX operators Eclipse Foundation of their findings, and the platform revoked tokens and removed the malicious releases. This doesn’t mean everyone is safe, though. Users who downloaded the extensions must still remove them, scan their systems for any remnants of malware, and rotate their credential, to fully mitigate the risks.

One of the extensions - oorzc.ssh-tools - was completely removed from Open VSX since it contained multiple malicious versions, it was said. Other extensions were simply cleaned up and returned to the platform.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Glassworm returns once again with a third round of VS code attacks    Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware    Malicious Microsoft VSCode AI extensions might have hit over 1.5 million users    Fake Moltbot AI assistant just spreads malware - so AI fans, watch out for scams    4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check    New MacOS malware exploits trusted AI and search tools    Latest in Security Malwarebytes and ChatGPT team up to check all of those suspicious texts, emails, and URLs with one simple phrase    Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reports claim    Notepad++ hit by suspected Chinese state-sponsored hackers - here's what we know so far    Canada Computers & Electronics reveals data breach - customer data exposed, here's what we know    MongoDB instances are being hit in data extortion attacks, so make sure you're protected    Russian ransomware hackers allegedly hit Tulsa airport in cyberattack, dump private files online as proof    Latest in News Independent auditors confirm NordVPN never stores your data – for the 6th time    Sea of Remnants has 400+ named NPCs in its open world, each 'with their own individual story arcs' that can be altered by your actions    Windows 11's February update is imminent — here are the top 4 features    SpaceX and xAI merger starts a new AI space race, but big questions remain    Is this the ultimate home theater? Micro-LED and 14.8.8 channels of sound    Sony patents AI-generated podcasts with PlayStation characters because 'video game platforms currently lack the ability to provide unique and targeted content to gamers'    LATEST ARTICLES

1. 1Quordle hints and answers for Wednesday, February 4 (game #1472)
2. 2Here are my 4 most anticipated 4K Blu-rays of February 2026
3. 3NYT Connections hints and answers for Wednesday, February 4 (game #969)
4. 4NYT Strands hints and answers for Wednesday, February 4 (game #703)
5. 5Independent auditors confirm NordVPN never stores your data – for the 6th time