← Back to Blog
Security Briefing4 min read2026-04-28

Security Briefing, April 28 2026: Robinhood Phishing Emails, PyPI Infostealer, and GlassWorm Sleeper Extensions

This morning’s lesson is ugly and simple: trusted onboarding, trusted package managers, and trusted editor marketplaces are all being used as delivery systems.


Top line: Three stories matter right now: attacker-controlled content inside legitimate Robinhood mail, a forged open-source release with secrets-stealing payloads, and delayed-action VS Code extensions built to wake up later.


1. Robinhood’s onboarding flow was bent into a phishing channel

Attackers abused Robinhood’s account creation process to inject HTML into legitimate login-alert emails sent from noreply@robinhood.com. The messages passed SPF and DKIM, looked real, and pushed victims toward a phishing site. The takeaway is brutal: sender trust alone is dead if application content is not sanitized.


2. elementary-data on PyPI turned a normal release flow into credential theft

The popular elementary-data package was compromised through GitHub Actions script injection, which exposed a workflow token and let the attacker forge a signed release. Version 0.23.3 then shipped an infostealer targeting SSH keys, cloud credentials, CI secrets, wallet files, and developer environment data, with the same blast radius reaching container images.


3. GlassWorm’s 73 OpenVSX sleeper extensions show supply-chain attackers are getting quieter

Socket found 73 OpenVSX extensions tied to GlassWorm, with six already activated. The new trick is patience: publish something that looks harmless, wait for trust to build, then deliver the payload in a later update. That is a smarter and nastier version of the same ecosystem abuse defenders keep underestimating.


What security teams should do today

  1. Recheck every user-facing email template that reflects customer or device data.
  2. Search for the compromised PyPI package and force secret rotation where it executed.
  3. Inventory VS Code and OpenVSX extensions across developer fleets before the next update wave hits.
  4. Stop treating trust surfaces as UX details. They are part of the attack surface now.

Sources


Bottom line: Today’s pattern is not exotic malware. It is ordinary trust being turned into transport. If a workflow, template, or marketplace looks routine, attackers already noticed.

Find the trust paths attackers are already testing

KENSAI helps teams map exposed workflows, risky dependencies, and developer-surface blind spots before those trust paths turn into real incidents.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team