A compromised Open VSX publisher account was used to distribute malicious extensions in a new GlassWorm supply chain attack.