VDB
GCVE-110-OSM-2026-516
GCVE-110-OSM-2026-516
Advisory PublishedCVSS 9.6/10
Sleeper Open VSX extension that was weaponized on 2026-04-29 via transitive delivery — the extension references the malicious package blockstoks.easily-gitignore-manage through extensionPack/extensionDependencies, which silently installs the GlassWorm payload alongside the host extension.
=== GlassWorm Open VSX Campaign ===
Multi-stage supply chain attack targeting VS Code, Cursor, Windsurf, and VSCodium.
=== STAGE 1: Obfuscated Loader ===
Heavily obfuscated JavaScript bundled in the extension decodes at runtime
to fetch a secondary .vsix payload from attacker-controlled GitHub repos:
- https://github.com/SquadMagistrate10/wnxtgkih
- https://github.com/francesca898/dqwffqw
- https://github.com/ColossusQuailPray/oiegjqde
=== STAGE 2: Native Binary Execution ===
Platform-specific .node binaries embed GitHub URLs and IDE installation
logic targeting VS Code, Cursor, Windsurf, and VSCodium directories.
=== STAGE 3: Transitive Delivery (2026-04-29 wave) ===
Sleeper extensions reference blockstoks.easily-gitignore-manage via
extensionPack/extensionDependencies — installing one extension silently
pulls in the GlassWorm component.
=== File Hashes (SHA256) ===
Native installer binaries:
- 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168
- 4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd
Downloaded VSIX payload:
- 97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | svetelin.industrious-live-hub | all (affected) | — |
| unknown | mecreation-studio.pyrefly-pro-extension | all (affected) | — |
| unknown | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.