A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 “sleeper” extensions that turn malicious after an update.

Six of the extensions have been activated and deliver malware, while researchers assess with high confidence that the rest of them are dormant or at least suspicious.

When initially uploaded, the extensions are benign but deliver the payload at a later stage, revealing the attacker’s true intention.