GlassWorm Attack Escalates to Target AI Development Tools in Major Supply Chain Breach
Cybersecurity researchers discover 72 new malicious extensions specifically targeting AI-powered development environments.
Massive Escalation in AI-Targeted Attacks
Cybersecurity researchers have identified a significant escalation in the GlassWorm supply chain attack, with at least 72 additional malicious extensions discovered since late January 2026. The latest findings reveal that attackers are now specifically targeting developers using artificial intelligence tools, marking a dangerous evolution in supply chain security threats.
The malicious extensions impersonate popular AI developer assistants including Claude Code, Codex, and Google Antigravity, directly infiltrating the AI development ecosystem that European organisations increasingly depend upon.
Technical Sophistication Reaches New Heights
The attackers have demonstrated remarkable technical innovation, abusing legitimate extension features like extensionPack and extensionDependencies to deploy malware through transitive dependencies. This approach renders traditional code reviews completely ineffective, as the malicious payload is delivered indirectly through seemingly legitimate dependency chains.
Particularly concerning is the use of invisible Unicode characters to hide malicious code that steals tokens, credentials, and secrets. Between March 3-9, 2026 alone, no fewer than 151 GitHub repositories were compromised using these techniques.
European Implications for AI Security
This development carries significant implications for European organisations, particularly given the EU’s recent focus on AI regulation and supply chain security under the AI Act. Irish and European companies building AI solutions or using AI-powered development tools face direct exposure to these sophisticated attacks.
The attack method is especially troubling as it targets the fundamental trust model of open-source development tools that underpin much of Europe’s growing AI sector.
Immediate Actions Required
While Open VSX has removed the identified malicious extensions, the attackers retain the ability to modify payloads remotely without publishing new versions. Development teams should immediately audit their installed extensions, implement strict extension approval processes, and monitor for unusual network activity from development environments.
Unresolved Security Concerns
Key questions remain about the full scope of the compromise and whether other extension marketplaces beyond Open VSX have been similarly infiltrated. The ability of attackers to maintain persistent access even after detection suggests this campaign may have broader implications than currently understood.
Source: Security Research