VDB

GCVE-110-OSM-2026-518

GCVE-110-OSM-2026-518
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 25, 2026
Sleeper Open VSX extension that was weaponized on 2026-04-29 via transitive delivery — the extension references the malicious package blockstoks.easily-gitignore-manage through extensionPack/extensionDependencies, which silently installs the GlassWorm payload alongside the host extension. === GlassWorm Open VSX Campaign === Multi-stage supply chain attack targeting VS Code, Cursor, Windsurf, and VSCodium. === STAGE 1: Obfuscated Loader === Heavily obfuscated JavaScript bundled in the extension decodes at runtime to fetch a secondary .vsix payload from attacker-controlled GitHub repos: - https://github.com/SquadMagistrate10/wnxtgkih - https://github.com/francesca898/dqwffqw - https://github.com/ColossusQuailPray/oiegjqde === STAGE 2: Native Binary Execution === Platform-specific .node binaries embed GitHub URLs and IDE installation logic targeting VS Code, Cursor, Windsurf, and VSCodium directories. === STAGE 3: Transitive Delivery (2026-04-29 wave) === Sleeper extensions reference blockstoks.easily-gitignore-manage via extensionPack/extensionDependencies — installing one extension silently pulls in the GlassWorm component. === File Hashes (SHA256) === Native installer binaries: - 1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168 - 4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd Downloaded VSIX payload: - 97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownporzhnev.swiftformat-deep-huball (affected)
unknownlyu-wen-studio-web-han.better-formatter-vscodeall (affected)
unknown* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected)

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›