Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 3 articles

Summary

Hide ▲

The GlassWorm campaign has evolved into a multi-stage malware operation that uses rogue packages across npm, PyPI, GitHub, and Open VSX to gain an initial foothold, then delivers data theft, a remote access trojan (RAT), and a Google Chrome extension masquerading as Google Docs Offline. The latest reporting says the malware logs keystrokes, steals cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo, while also targeting browser data, crypto wallets, and hardware wallet recovery phrases. The campaign is also expanding into MCP servers, including packages impersonating WaterCrawl, and defenders can use glassworm-hunter to scan local systems for associated payloads.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 02.02.2026 07:04 3 articles · 3mo ago

    Compromised Open VSX account publishes GlassWorm extensions

    Campaign Scope Update

    On January 30, 2026, attackers used compromised publishing credentials tied to the oorzc Open VSX account to publish malicious versions of FTP/SFTP/SSH Sync Tool, I18n Tools, vscode mindmap, and scss to css, embedding the GlassWorm malware loader in four established Open VSX extensions.

    Show sources
    Open in new tab
  2. 02.02.2026 07:04 1 articles · 3mo ago

    Researchers disclose the Open VSX supply chain attack

    Initial Disclosure

    On February 2, 2026, cybersecurity researchers disclosed a supply chain attack targeting the Open VSX Registry, saying unidentified threat actors had compromised a legitimate developer's resources to push malicious updates and that the Open VSX security team assessed the compromise as a leaked token or other unauthorized access.

    Show sources
    Open in new tab