Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

GlassWorm is a malware campaign that now also fuels ForceMemo, a supply-chain attack that steals GitHub tokens and force-pushes malicious code into Python repositories. StepSecurity says the earliest injections date to March 8, 2026, and the attackers target projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like `setup.py`, `main.py`, and `app.py`. The campaign still uses VS Code and Cursor extensions to compromise developer systems, then relies on a Solana wallet to fetch payload URLs and deliver additional malware. Aikido Security also linked the activity to a separate wave that compromised more than 151 GitHub repositories, showing the operation has expanded from extension abuse into broader GitHub account takeover.

Related Happenings

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

Developers' AI provider API keys exfiltrated via malicious JetBrains plugins

Data Leak
H score12 First: 17.06.2026 12:10 Last: 17.06.2026 12:10 Sources 1

About this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Timeline

  1. 03.02.2026 00:04 3 articles · 5mo ago

    GlassWorm trojanizes four OpenVSX extensions on January 30

    Exploitation Observed

    GlassWorm operators used compromised publishing access for the oorzc account to push malicious updates to oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, and oorzc.scss-to-css-compile v1.3.4, with the trojanized extensions collectively downloaded 22,000 times. The campaign targeted macOS systems and used the extension-store compromise to seed payloads that later stole passwords, crypto-wallet data, and developer credentials.

    Show sources
  2. 03.02.2026 00:04 1 articles · 5mo ago

    Open VSX revokes access and removes malicious GlassWorm releases

    Mitigation Patch Update

    Socket reported the compromised packages to the Eclipse Foundation, and the Open VSX operator confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. oorzc.ssh-tools was removed completely from Open VSX after multiple malicious releases were discovered, while the other affected extensions were cleaned on the platform.

    Show sources