GlassWorm multi-stage data-theft malware evolution
Malware Activity
Summary
Hide ▲
Show ▼
The GlassWorm malware family has evolved into a multi-stage payload chain that steals browser data and crypto-wallet information, increasing risk for Windows and macOS users. It spreads through rogue packages on npm, PyPI, GitHub, and Open VSX, and its operators also abuse maintainer accounts to push poisoned updates. The payload chain includes a RAT, a malicious Chrome extension, and hardware-wallet phishing, enabling session theft, remote access, and credential capture.
Related Happenings
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
H score24
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
SilabRAT session-hijacking crypto-draining malware activity
Malware ActivityAbout this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
H score22
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Latest development: 29.05.2026 11:10
mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Timeline
-
25.03.2026 16:26 2 articles · 3mo ago
GlassWorm evolves into a multi-stage data-theft framework
Technical Analysis UpdateGlassWorm has evolved into a multi-stage malware campaign that seeds rogue packages across npm, PyPI, GitHub, and the Open VSX marketplace, abuses compromised maintainer accounts to push poisoned updates, and uses Solana-based dead drops and a public Google Calendar event URL to fetch C2 infrastructure and OS-specific payloads. The chain delivers a data-theft framework, a hardware-wallet phishing component that targets Ledger and Trezor devices, and a WebSocket-based JavaScript RAT that steals browser data, bypasses Chrome's app-bound encryption (ABE), and force-installs a Google Chrome extension named Google Docs Offline to capture cookies, localStorage, screenshots, keystrokes, clipboard content, bookmarks, browser history, and targeted session data such as Bybit (.bybit.com) secure-token and deviceid cookies. AFINE also published glassworm-hunter to scan local systems for associated payloads without making network requests during scanning.
Show sources
- GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data — thehackernews.com — 25.03.2026 16:26
- GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data — thehackernews.com — 25.03.2026 16:26