Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm campaign returns in repeated waves across extension marketplaces

Campaign
First reported
Last updated
Happening score
H score 40
3 unique sources, 9 articles

Summary

Hide ▲

GlassWorm is an ongoing supply-chain attack targeting developers through the OpenVSX and Microsoft Visual Studio Marketplace extension ecosystems. In the latest confirmed wave, the malware was installed an estimated 35,800 times across infected extensions, including OpenVSX packages and one Microsoft VS Code Marketplace extension. The payload hides malicious code with invisible Unicode characters, steals GitHub, npm, and OpenVSX credentials plus cryptocurrency wallet data, and spreads through stolen account access. The operators use Solana blockchain for command-and-control, with Google Calendar as a backup delivery path, while some compromised extensions were still available and the C2 and payload servers remained active at publication time.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

JetBrains Marketplace malicious plugin API-key theft campaign

Campaign
H score15 First: 17.06.2026 00:54 Last: 17.06.2026 00:54 Sources 1

About this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...

Timeline

  1. 17.03.2026 23:42 4 articles · 3mo ago

    GlassWorm expands supply-chain campaign across GitHub, npm, and VSCode/OpenVSX

    Campaign Scope Update

    GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

    Show sources
  2. 01.01.2026 17:18 4 articles · 6mo ago

    Fourth GlassWorm wave targets macOS developers

    Initial Disclosure

    A fourth GlassWorm wave targets macOS developers through malicious VSCode/OpenVSX extensions that deliver trojanized crypto wallet applications. The campaign uses an AES-256-CBC–encrypted payload embedded in compiled JavaScript, executes after a 15-minute delay, uses AppleScript and LaunchAgents for persistence on macOS, keeps a Solana blockchain-based C2 channel, attempts to steal GitHub, npm, OpenVSX, and Keychain credentials, and checks for Ledger Live and Trezor Suite to replace them with trojanized versions.

    Show sources
  3. 02.11.2025 17:09 2 articles · 8mo ago

    Open VSX rotates leaked access tokens after GlassWorm supply-chain abuse

    Mitigation Patch Update

    The Open VSX registry, developed under the Eclipse Foundation, rotated access tokens after developers accidentally leaked credentials in public repositories and threat actors used some of those tokens in the GlassWorm malware campaign. By October 21, all malicious extensions had been removed from the registry and the associated tokens were rotated or revoked, containing the incident with no ongoing impact.

    Show sources