Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware family has evolved into a multi-stage payload chain that steals browser data and crypto-wallet information, increasing risk for Windows and macOS users. It spreads through rogue packages on npm, PyPI, GitHub, and Open VSX, and its operators also abuse maintainer accounts to push poisoned updates. The payload chain includes a RAT, a malicious Chrome extension, and hardware-wallet phishing, enabling session theft, remote access, and credential capture.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

SilabRAT session-hijacking crypto-draining malware activity

Malware Activity
H score24 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
H score22 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Latest development: 29.05.2026 11:10

mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Timeline

  1. 25.03.2026 16:26 2 articles · 3mo ago

    GlassWorm evolves into a multi-stage data-theft framework

    Technical Analysis Update

    GlassWorm has evolved into a multi-stage malware campaign that seeds rogue packages across npm, PyPI, GitHub, and the Open VSX marketplace, abuses compromised maintainer accounts to push poisoned updates, and uses Solana-based dead drops and a public Google Calendar event URL to fetch C2 infrastructure and OS-specific payloads. The chain delivers a data-theft framework, a hardware-wallet phishing component that targets Ledger and Trezor devices, and a WebSocket-based JavaScript RAT that steals browser data, bypasses Chrome's app-bound encryption (ABE), and force-installs a Google Chrome extension named Google Docs Offline to capture cookies, localStorage, screenshots, keystrokes, clipboard content, bookmarks, browser history, and targeted session data such as Bybit (.bybit.com) secure-token and deviceid cookies. AFINE also published glassworm-hunter to scan local systems for associated payloads without making network requests during scanning.

    Show sources