Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

LummaStealer Windows extension-delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A Windows payload chain now runs LummaStealer after malicious extension execution, putting cryptocurrency wallet data, browser credentials, and messaging app data at risk. The malware is delivered through a multi-stage script sequence rather than a direct binary launch. That makes the extension-install path a practical theft mechanism for affected users.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

GlassWorm open-source supply-chain campaign targeting developers

Campaign
First: 14.03.2026 14:55 Last: 14.03.2026 14:55 Sources 1

About this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

InstallFix Claude Code malvertising campaign

Campaign
First: 06.03.2026 17:00 Last: 06.03.2026 17:00 Sources 1

About this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...

Open Happening

Timeline

  1. 13.09.2025 17:00 2 articles · 8mo ago

    WhiteCobra Windows chain delivers LummaStealer

    Technical Analysis Update

    WhiteCobra's Windows extension-delivery chain stages a next payload from Claudflare Pages and uses a PowerShell script, a Python script, and shellcode to launch LummaStealer after extension execution; on Windows, the infostealer targets cryptocurrency wallet apps, web extensions, browser-stored credentials, and messaging app data.

    Show sources
    Open in new tab