VS Code
Microsoft's free code editor; target of GlassWorm's OpenVSX extension supply-chain attack.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for VS Code
UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and Defences- What is Open VSX and how is it different from the VS Code Marketplace?
- Open VSX Registry is an open-source extension marketplace maintained by the Eclipse Foundation for VS Code-compatible editors (VSCodium, Gitpod, Theia) that cannot use Microsoft's proprietary Visual Studio Marketplace. It hosts many of the same extensions as the Microsoft marketplace.
- What was the GlassWorm VS Code extension attack?
- GlassWorm hijacked 73 extensions on the Open VSX Registry by phishing maintainer accounts, injecting a malicious npm dependency (plain-crypto-js) that installed the WAVESHAPER.V2 backdoor on developers' machines.Source: event
- Are VS Code extensions safe to install?
- VS Code extensions carry supply-chain risk. Extensions on both the Microsoft Marketplace and Open VSX Registry have been used to distribute malware; GlassWorm's 2026 attack compromised 73 Open VSX extensions via maintainer phishing, deploying the WAVESHAPER.V2 backdoor.
Background
Visual Studio Code (VS Code) is a free, open-source code editor developed by Microsoft, first released in 2015. It has become the dominant development environment globally, with over 70% market share among professional developers according to the 2024 Stack Overflow Developer Survey. VS Code supports extensions — plugins that add language support, debuggers, linters, and other tooling — distributed through Microsoft's Visual Studio Marketplace. The editor is built on the Electron framework and runs on Windows, macOS, and Linux.
A parallel extension marketplace, Open VSX Registry (openvsix.org), was created by the Eclipse Foundation for non-Microsoft distributions of VS Code and VS Code-compatible editors (VSCodium, Gitpod, Eclipse Che, Theia) that cannot legally access the proprietary Microsoft Marketplace. Open VSX mirrors many popular extensions and also hosts extensions not available on Microsoft's platform.
In U#3, the threat actor GlassWorm conducted a supply-chain attack against the Open VSX Registry, hijacking 73 published extensions by compromising maintainer accounts via phishing . The malicious versions deployed the WAVESHAPER.V2 backdoor via a dependency on a malicious npm package called `plain-crypto-js`. The attack affected developers using VS Code-compatible editors that pull from Open VSX — including corporate and government environments running VSCodium on hardened Linux workstations — rather than users of the Microsoft Marketplace.