CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GlassWorm malware targets OpenVSX, VS Code registries

First reported
Last updated
2 unique sources, 17 articles

Summary

Hide ▲

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, now leveraging Solana dead drops for C2, a novel browser extension for surveillance, and the Model Context Protocol (MCP) ecosystem. The campaign delivers a .NET binary targeting Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline for session surveillance on cryptocurrency platforms like Bybit and harvests extensive browser data. Recent innovations include a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker' masquerading as WakaTime, which installs platform-specific Node.js native addons compiled from Zig code to stealthily infect all IDEs on a developer's machine. This dropper downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs, avoiding execution on Russian systems and communicating with the Solana blockchain for C2. A new large-scale social engineering campaign has emerged, distributing fake VS Code security alerts posted in GitHub Discussions to automate posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers. GlassWorm remains a persistent supply chain threat impacting npm, PyPI, GitHub, and Open VSX ecosystems. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six extensions have already been activated, while the remainder remain dormant or suspicious. The campaign leverages thin loaders that fetch secondary VSIX packages or platform-specific modules at runtime, marking a shift in the group's tactics to evade detection by avoiding direct malware embedding in initial uploads. The extensions mimic legitimate listings using identical icons and near-identical names to deceive developers. Developers who installed these extensions are advised to rotate all secrets and perform a full system clean-up.

Timeline

  1. 16.03.2026 21:37 4 articles · 1mo ago

    GlassWorm malware campaign targets Python repositories using stolen GitHub tokens

    The GlassWorm malware campaign continues evolving with a new large-scale social engineering vector targeting developers on GitHub. Threat actors are distributing fake VS Code security alerts in GitHub Discussions to trick developers into downloading malware via realistic vulnerability advisories with fake CVE references and urgent language. The campaign uses automated posts from newly created or low-activity accounts across thousands of repositories within minutes to trigger GitHub email notifications, delivering fake VS Code extension patch links hosted on trusted services like Google Drive. These links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles victims—collecting timezone, locale, user agent, OS details, and automation indicators—serving as a traffic distribution system to filter targets before delivering additional malicious payloads. This coordinated, large-scale operation represents a sophisticated expansion of the GlassWorm campaign beyond its traditional supply chain compromises in npm, PyPI, GitHub, and OpenVSX registries. A new evolution in the GlassWorm campaign involves a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker', which masquerades as WakaTime. This dropper installs platform-specific Node.js native addons compiled from Zig code that execute outside the JavaScript sandbox with full OS-level access, enabling the threat actor to stealthily infect all IDEs on a developer's machine—including VS Code, VSCodium, Positron, Cursor, and Windsurf. The dropper then downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs. The second-stage extension avoids execution on Russian systems, communicates with the Solana blockchain for C2, exfiltrates data, and deploys an information-stealing RAT that ultimately installs a malicious Google Chrome extension. Users who installed the malicious extensions are advised to assume compromise and rotate all secrets immediately.

    Show sources
    Open in new tab
  2. 08.11.2025 18:17 7 articles · 5mo ago

    GlassWorm operators identified as Russian-speaking using RedExt C2 framework

    GlassWorm operators are Russian-speaking and use the RedExt open-source C2 browser extension framework. The malware has impacted systems globally, including the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security accessed the attackers' server and obtained key data on victims, including user IDs for multiple cryptocurrency exchanges and messaging platforms. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  3. 02.11.2025 17:09 5 articles · 5mo ago

    GlassWorm threat actors pivot to GitHub using Unicode steganography

    The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,400 downloads), adhamu.history-in-sublime-merge (4,000 downloads), and yasuyuky.transient-emacs (2,400 downloads). The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  4. 31.10.2025 10:02 6 articles · 5mo ago

    Eclipse Foundation revokes leaked tokens and introduces security measures

    Open VSX has implemented additional security measures, including shortening token lifetimes, faster revocation workflows, automated security scans, and threat intelligence sharing. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  5. 20.10.2025 19:13 14 articles · 6mo ago

    GlassWorm malware campaign targets OpenVSX and VS Code registries

    A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six of the extensions have already been activated, while researchers assess with high confidence that the rest are dormant or at least suspicious. When initially uploaded, the extensions are benign but deliver the payload at a later stage, revealing the attacker's true intention. This represents a shift in the attacker's strategy to introduce malicious payloads in subsequent updates rather than embedding them directly in the extensions, complicating early detection. The extensions act as thin loaders that fetch secondary VSIX packages from GitHub at runtime, load platform-specific compiled modules (.node files) containing core logic, or rely on heavily obfuscated JavaScript that decodes at runtime to fetch and install malicious extensions. The campaign continues to leverage compromised development ecosystems, including GitHub repositories, npm packages, and both the Visual Studio Code Marketplace and OpenVSX, reinforcing its persistent and adaptive nature. Developers who installed any of these extensions should assume compromise and rotate all secrets and passwords, performing a full system clean-up.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious Ledger Live macOS app on Apple App Store facilitates $9.5M crypto theft via seed phrase harvesting

A fraudulent Ledger Live macOS application, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ compromised approximately 50 users in early April 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit app tricked users into entering seed phrases, granting attackers full wallet control and enabling fund transfers to attacker-controlled addresses. The incident is part of the broader Apple App Store infiltration campaign dubbed FakeWallet, linked to the SparkKitty operation and active since at least fall 2025. Kaspersky identified 26 malicious apps impersonating major wallets (e.g., Ledger, MetaMask, Coinbase) to steal seed phrases and drain crypto assets, with malware delivered via libraries, injected code, or OCR-based recovery phrase theft. Some apps contained latent malicious features awaiting future activation, and the campaign’s modules lacked regional restrictions despite initial targeting of Chinese-speaking users. Apple began removing malicious apps after Kaspersky’s disclosure, freezing implicated KuCoin accounts until April 20, 2026. New details indicate the apps redirected users to fake App Store-like browser pages to distribute trojanized wallet versions, while some non-crypto apps (e.g., games, calculators) acted as placeholders to direct victims to official wallets under regulatory pretexts. Attackers used OCR modules to capture recovery phrases and employed sophisticated phishing tactics, including code hooking during entry and fake verification prompts, to maximize theft efficiency.

Open in new tab

Supply chain compromise of axios npm package delivers cross-platform RATs via malicious dependency

A North Korea-nexus threat actor (UNC1069) compromised the npm account of axios maintainer Jason Saayman via a two-week social engineering campaign and published malicious axios versions v1.14.1 and v0.30.4 containing the plain-crypto-js dependency to deliver cross-platform RATs with full unilateral control capabilities, bypassing 2FA. The attack’s blast radius has expanded beyond developer ecosystems after OpenAI revealed that a GitHub Actions workflow used for macOS app signing downloaded the malicious axios library, prompting OpenAI to revoke its macOS app certificate as a precaution despite no evidence of compromise. This incident underscores the escalating risks of supply chain compromises, with Google warning that hundreds of thousands of stolen secrets from the axios and Trivy attacks could fuel further software supply chain attacks, SaaS compromises, ransomware, and cryptocurrency theft. The campaign reflects an industrialized social engineering model targeting high-value individuals and open source maintainers, leveraging AI-enhanced trust-building and matured attacker tooling. Additional supply chain attacks in March 2026, such as the compromise of Trivy by TeamPCP (UNC6780), have compounded the threat landscape, exposing organizations like the European Commission and Mercor to downstream risks.

Open in new tab

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment.

Open in new tab