Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions

Campaign
First reported
Last updated
Happening score
H score 30
2 unique sources, 3 articles

Summary

Hide ▲

The GlassWorm campaign has evolved into a multi-stage malware operation that uses rogue packages across npm, PyPI, GitHub, and Open VSX to gain an initial foothold, then delivers data theft, a remote access trojan (RAT), and a Google Chrome extension masquerading as Google Docs Offline. The latest reporting says the malware logs keystrokes, steals cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo, while also targeting browser data, crypto wallets, and hardware wallet recovery phrases. The campaign is also expanding into MCP servers, including packages impersonating WaterCrawl, and defenders can use glassworm-hunter to scan local systems for associated payloads.

Related Happenings

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem

Threat Actor Meta
H score31 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: **o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....

SilabRAT session-hijacking crypto-draining malware activity

Malware Activity
H score24 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...

Timeline

  1. 02.02.2026 07:04 3 articles · 5mo ago

    Compromised Open VSX account publishes GlassWorm extensions

    Campaign Scope Update

    On January 30, 2026, attackers used compromised publishing credentials tied to the oorzc Open VSX account to publish malicious versions of FTP/SFTP/SSH Sync Tool, I18n Tools, vscode mindmap, and scss to css, embedding the GlassWorm malware loader in four established Open VSX extensions.

    Show sources
  2. 02.02.2026 07:04 1 articles · 5mo ago

    Researchers disclose the Open VSX supply chain attack

    Initial Disclosure

    On February 2, 2026, cybersecurity researchers disclosed a supply chain attack targeting the Open VSX Registry, saying unidentified threat actors had compromised a legitimate developer's resources to push malicious updates and that the Open VSX security team assessed the compromise as a leaked token or other unauthorized access.

    Show sources