GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions
Campaign
Summary
Hide ▲
Show ▼
The GlassWorm campaign has evolved into a multi-stage malware operation that uses rogue packages across npm, PyPI, GitHub, and Open VSX to gain an initial foothold, then delivers data theft, a remote access trojan (RAT), and a Google Chrome extension masquerading as Google Docs Offline. The latest reporting says the malware logs keystrokes, steals cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo, while also targeting browser data, crypto wallets, and hardware wallet recovery phrases. The campaign is also expanding into MCP servers, including packages impersonating WaterCrawl, and defenders can use glassworm-hunter to scan local systems for associated payloads.
Related Happenings
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem
Threat Actor Meta
H score31
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
**o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....
O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem
Threat Actor MetaAbout this happening: **o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....
SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
H score24
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
SilabRAT session-hijacking crypto-draining malware activity
Malware ActivityAbout this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
Timeline
-
02.02.2026 07:04 3 articles · 5mo ago
Compromised Open VSX account publishes GlassWorm extensions
Campaign Scope UpdateOn January 30, 2026, attackers used compromised publishing credentials tied to the oorzc Open VSX account to publish malicious versions of FTP/SFTP/SSH Sync Tool, I18n Tools, vscode mindmap, and scss to css, embedding the GlassWorm malware loader in four established Open VSX extensions.
Show sources
- Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm — thehackernews.com — 02.02.2026 07:04
- New GlassWorm attack targets macOS via compromised OpenVSX extensions — www.bleepingcomputer.com — 03.02.2026 00:04
- GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data — thehackernews.com — 25.03.2026 16:26
-
02.02.2026 07:04 1 articles · 5mo ago
Researchers disclose the Open VSX supply chain attack
Initial DisclosureOn February 2, 2026, cybersecurity researchers disclosed a supply chain attack targeting the Open VSX Registry, saying unidentified threat actors had compromised a legitimate developer's resources to push malicious updates and that the Open VSX security team assessed the compromise as a leaked token or other unauthorized access.
Show sources
- Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm — thehackernews.com — 02.02.2026 07:04