VDB
GCVE-110-OSM-2026-443
GCVE-110-OSM-2026-443
Advisory PublishedCVSS 8.8/10
New sleeper Open VSX extension added to the GlassWorm cluster in the 2026-04-29 wave. Currently benign but operator-controlled and staged for runtime activation following the same pattern as previously confirmed payloads.
=== GlassWorm Open VSX Campaign ===
Multi-stage supply chain attack targeting VS Code, Cursor, Windsurf, and VSCodium.
=== STAGE 1: Obfuscated Loader ===
Heavily obfuscated JavaScript bundled in the extension decodes at runtime
to fetch a secondary .vsix payload from attacker-controlled GitHub repos:
- https://github.com/SquadMagistrate10/wnxtgkih
- https://github.com/francesca898/dqwffqw
- https://github.com/ColossusQuailPray/oiegjqde
=== STAGE 2: Native Binary Execution ===
Platform-specific .node binaries embed GitHub URLs and IDE installation
logic targeting VS Code, Cursor, Windsurf, and VSCodium directories.
=== STAGE 3: Transitive Delivery (2026-04-29 wave) ===
Sleeper extensions reference blockstoks.easily-gitignore-manage via
extensionPack/extensionDependencies — installing one extension silently
pulls in the GlassWorm component.
=== File Hashes (SHA256) ===
Native installer binaries:
- 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168
- 4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd
Downloaded VSIX payload:
- 97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | lyu-wen-studio-web-han.better-formatter-vscode | all (affected) | — |
| unknown | mswincx.antigravity-cockpit | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected) | — |
| unknown | littensy-studio.magical-icons | * (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | brategmaqendaalar-studio.pro-prettyxml-formatter | all (affected) | — |
| unknown | zubarets.latex-quick-suite | all (affected) | — |
References
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.