Threat Library

Confirmed compromise campaigns across the marketplaces we track — affected extensions, malicious versions, and indicators of compromise. Search by hash, domain, campaign, store, or extension ID.

4 campaigns

54 affected extensions

269 IOCs

132 samples

critical 2025-10-17

GlassWorm

First self-propagating worm using invisible-Unicode code; hit OpenVSX and the VS Code Marketplace, harvested NPM/GitHub/OpenVSX/Git credentials and 49 crypto wallets, and deployed the ZOMBI RAT.

openvsxvscode

14 ext 137 IOCs 132 samples

critical 2025-09-15

Shai-Hulud

Self-replicating npm worm (Sept 2025, plus v2.0 Nov 2025 and Mini Shai-Hulud May 2026). Used TruffleHog to steal cloud/AI credentials; later waves explicitly targeted Claude Code / MCP config files.

mcpnpm

3 ext 129 IOCs

high 2025-07-08

RedDirection

Legitimate, long-clean Chrome and Edge extensions turned malicious via routine auto-updates. Koi found 18 (~2.3M users); Spin.AI expanded the same campaign to 36 extensions and ~16.5M users.

chromeedge

36 ext 1 IOCs

high 2024-12-25

Cyberhaven / GraphQL Network Inspector

OAuth-phishing of extension developers led to malicious updates. GraphQL Network Inspector v2.22.6 injected credential/session-stealing JS. The only Chrome-extension incident with published file hashes.

chrome

1 ext 2 IOCs

Campaign:

Store: Severity:

Affected extensions

54 of 54

Extension	Store	Malicious version	Installs	Campaign	Archived
codejoy-vscode-extension codejoy.codejoy-vscode-extension	openvsx	1.8.3, 1.8.4	—	GlassWorm	yes
vscode-theme-seti-folder l-igh-t.vscode-theme-seti-folder	openvsx	1.2.3	—	GlassWorm	yes
serenity-dsl-syntaxhighlight kleinesfilmroellchen.serenity-dsl-syntaxhighlight	openvsx	0.3.2	—	GlassWorm	yes
rust-doc-viewer JScearcy.rust-doc-viewer	openvsx	4.2.1	—	GlassWorm	yes
dark-theme-sm SIRILMP.dark-theme-sm	openvsx	3.11.4	—	GlassWorm	yes
git-worktree-menu CodeInKlingon.git-worktree-menu	openvsx	1.0.9, 1.0.91	—	GlassWorm	yes
better-nunjucks ginfuru.better-nunjucks	openvsx	0.3.2	—	GlassWorm	no
recoil ellacrity.recoil	openvsx	0.7.4	—	GlassWorm	yes
positron-plus-1-e grrrck.positron-plus-1-e	openvsx	0.0.71	—	GlassWorm	yes
color-picker-universal jeronimoekerdt.color-picker-universal	openvsx	2.8.91	—	GlassWorm	no
srcery-colors srcery-colors.srcery-colors	openvsx	0.3.9	—	GlassWorm	yes
shopify-liquid sissel.shopify-liquid	openvsx	4.0.1	—	GlassWorm	yes
forts-api-extention TretinV3.forts-api-extention	openvsx	0.3.1	—	GlassWorm	yes
cline-ai-agent cline-ai-main.cline-ai-agent	vscode	3.1.3	—	GlassWorm	no
mcp-knowledge-base mcp-knowledge-base	mcp	0.0.2	—	Shai-Hulud	no
@ctrl/tinycolor @ctrl/tinycolor	npm	4.1.1	—	Shai-Hulud	no
rxnt-authentication rxnt-authentication	npm	0.0.3	—	Shai-Hulud	no
2048 Game iabflonngmpkalkpbjonemaamlgdghea	chrome	—	1M	RedDirection	no
Adblock Unlimited - Adblocker jiaopkfkampgnnkckajcbdgannoipcne	chrome	—	90K	RedDirection	no
Image Downloader - Save pictures daeljdgmllhgmbdkpgnaojldjkdgkbjg	chrome	—	200K	RedDirection	yes
Web Music Downloader dmbjkidogjmmlejdmnecpmfapdmidfjg	chrome	—	500K	RedDirection	no
Super Mario Bros Game pegfdldddiilihjahcpdehhhfcbibipg	chrome	—	200K	RedDirection	no
Video downloader - download any video kfpgookelklhphhnihipmknjdgbeecgj	chrome	—	1M	RedDirection	no
Screen Capture pmnphobdokkajkpbkajlaiooipfcpgio	chrome	—	700K	RedDirection	no
Dictionary all over with Synonyms ahjhlnckcgnoikkfkfnkbfengklhglpg	chrome	—	400K	RedDirection	no
Multi Chat - Messenger for WhatsApp dllplfhjknghhdneiblmkolbjappecbe	chrome	—	2M	RedDirection	yes
Video Downloader Online jglemppahimembneahjbkhjknnefeeio	chrome	—	700K	RedDirection	no
PiP (Picture in picture) nalkmonnmldhpfcpdlbdpljlaajlaphh	chrome	—	800K	RedDirection	yes
Mute Tab - Silent in a click inhefjomnpfkkegfklclbjhkifmpkkmn	chrome	—	30K	RedDirection	no
Dark Mode for Chrome jhhjdfldilccfllhlbjdlhknlfbhpgeg	chrome	—	4M	RedDirection	no
Good Video Downloader mhpcabliilgadobjpkameggapnpeppdg	chrome	—	400K	RedDirection	no
Flash Player Enabler eplfglplnlljjpeiccbgnijecmkeimed	chrome	—	300K	RedDirection	no
Auto HD & Additions for Youtube lagdcjmbchphhndlbpfajelapcodekll	chrome	—	800K	RedDirection	no
What Font - find font acpcapnaopbhbelhmbbmppghilclpkep	chrome	—	1M	RedDirection	no
Floating Video with Playback Controls pnanegnllonoiklmmlegcaajoicfifcm	chrome	—	80K	RedDirection	yes
Emoji keyboard online kgmeffmlnkfnjpgmdndccklfigfhajen	chrome	—	—	RedDirection	no
Free Weather Forecast dpdibkjjgbaadnnjhkmmnenkmbnhpobj	chrome	—	—	RedDirection	no
Video Speed Controller - Video manager gaiceihehajjahakcglkhmdbbdclbnlf	chrome	—	—	RedDirection	no
Unlock Discord - VPN Proxy mlgbkfnjdmaoldgagamcnommbbnhfnhf	chrome	—	—	RedDirection	no
Dark Theme - Dark Reader for Chrome eckokfcjbjbgjifpcbdmengnabecdakp	chrome	—	—	RedDirection	no
Volume Max - Ultimate Sound Booster mgbhdehiapbjamfgekfpebmhmnmcmemg	chrome	—	—	RedDirection	no
Unblock TikTok cbajickflblmpjodnjoldpiicfmecmif	chrome	—	—	RedDirection	no
Unlock YouTube VPN pdbfcnhlobhoahcamoefbfodpmklgmjm	chrome	—	—	RedDirection	no
Color Picker, Eyedropper - Geco eokjikchkppnkdipbiggnmlkahcdkikp	chrome	—	—	RedDirection	no
Weather ihbiedpeaicgipncdnnkikeehnjiddck	chrome	—	—	RedDirection	no
Unlock TikTok jjdajogomggcjifnjgkpghcijgkbcjdi	edge	—	—	RedDirection	no
Volume Booster - Increase your sound mmcnmppeeghenglmidpmjkaiamcacmgm	edge	—	—	RedDirection	no
Web Sound Equalizer ojdkklpgpacpicaobnhankbalkkgaafp	edge	—	—	RedDirection	no
Header Value lodeighbngipjjedfelnboplhgediclp	edge	—	—	RedDirection	no
Flash Player - games emulator hkjagicdaogfgdifaklcgajmgefjllmd	edge	—	—	RedDirection	no
Youtube Unblocked gflkbgebojohihfnnplhbdakoipdbpdm	edge	—	—	RedDirection	no
SearchGPT - ChatGPT for Search Engine kpilmncnoafddjpnbhepaiilgkdcieaf	edge	—	—	RedDirection	no
Unlock Discord caibdnkmpnjhjdfnomfhijhmebigcelo	edge	—	—	RedDirection	no
GraphQL Network Inspector unknown-graphql-network-inspector	chrome	2.22.6	—	Cyberhaven	no