GlassWorm campaign returns in repeated waves across extension marketplaces
Campaign
Summary
Hide ▲
Show ▼
GlassWorm is an ongoing supply-chain attack targeting developers through the OpenVSX and Microsoft Visual Studio Marketplace extension ecosystems. In the latest confirmed wave, the malware was installed an estimated 35,800 times across infected extensions, including OpenVSX packages and one Microsoft VS Code Marketplace extension. The payload hides malicious code with invisible Unicode characters, steals GitHub, npm, and OpenVSX credentials plus cryptocurrency wallet data, and spreads through stolen account access. The operators use Solana blockchain for command-and-control, with Google Calendar as a backup delivery path, while some compromised extensions were still available and the C2 and payload servers remained active at publication time.
Related Happenings
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugin API-key theft campaign
Campaign
H score15
First: 17.06.2026 00:54
Last: 17.06.2026 00:54
Sources 1
About this happening:
A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
JetBrains Marketplace malicious plugin API-key theft campaign
CampaignAbout this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
Timeline
-
17.03.2026 23:42 4 articles · 3mo ago
GlassWorm expands supply-chain campaign across GitHub, npm, and VSCode/OpenVSX
Campaign Scope UpdateGlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Show sources
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX — www.bleepingcomputer.com — 17.03.2026 23:42
- Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware — thehackernews.com — 27.04.2026 14:23
- GlassWorm malware returns on OpenVSX with 3 new VSCode extensions — www.bleepingcomputer.com — 08.11.2025 18:17
- GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools — thehackernews.com — 02.12.2025 17:01
-
01.01.2026 17:18 4 articles · 6mo ago
Fourth GlassWorm wave targets macOS developers
Initial DisclosureA fourth GlassWorm wave targets macOS developers through malicious VSCode/OpenVSX extensions that deliver trojanized crypto wallet applications. The campaign uses an AES-256-CBC–encrypted payload embedded in compiled JavaScript, executes after a 15-minute delay, uses AppleScript and LaunchAgents for persistence on macOS, keeps a Solana blockchain-based C2 channel, attempts to steal GitHub, npm, OpenVSX, and Keychain credentials, and checks for Ledger Live and Trezor Suite to replace them with trojanized versions.
Show sources
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm malware wave targets Macs with trojanized crypto wallets — www.bleepingcomputer.com — 01.01.2026 17:18
- New GlassWorm attack targets macOS via compromised OpenVSX extensions — www.bleepingcomputer.com — 03.02.2026 00:04
- Self-spreading GlassWorm malware hits OpenVSX, VS Code registries — www.bleepingcomputer.com — 20.10.2025 19:13
-
02.11.2025 17:09 2 articles · 8mo ago
Open VSX rotates leaked access tokens after GlassWorm supply-chain abuse
Mitigation Patch UpdateThe Open VSX registry, developed under the Eclipse Foundation, rotated access tokens after developers accidentally leaked credentials in public repositories and threat actors used some of those tokens in the GlassWorm malware campaign. By October 21, all malicious extensions had been removed from the registry and the associated tokens were rotated or revoked, containing the incident with no ongoing impact.
Show sources
- Open VSX rotates access tokens used in supply-chain malware attack — www.bleepingcomputer.com — 02.11.2025 17:09
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00