Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware family has evolved into a multi-stage payload chain that steals browser data and crypto-wallet information, increasing risk for Windows and macOS users. It spreads through rogue packages on npm, PyPI, GitHub, and Open VSX, and its operators also abuse maintainer accounts to push poisoned updates. The payload chain includes a RAT, a malicious Chrome extension, and hardware-wallet phishing, enabling session theft, remote access, and credential capture.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 25.03.2026 16:26 2 articles · 2mo ago

    GlassWorm evolves into a multi-stage data-theft framework

    Technical Analysis Update

    GlassWorm has evolved into a multi-stage malware campaign that seeds rogue packages across npm, PyPI, GitHub, and the Open VSX marketplace, abuses compromised maintainer accounts to push poisoned updates, and uses Solana-based dead drops and a public Google Calendar event URL to fetch C2 infrastructure and OS-specific payloads. The chain delivers a data-theft framework, a hardware-wallet phishing component that targets Ledger and Trezor devices, and a WebSocket-based JavaScript RAT that steals browser data, bypasses Chrome's app-bound encryption (ABE), and force-installs a Google Chrome extension named Google Docs Offline to capture cookies, localStorage, screenshots, keystrokes, clipboard content, bookmarks, browser history, and targeted session data such as Bybit (.bybit.com) secure-token and deviceid cookies. AFINE also published glassworm-hunter to scan local systems for associated payloads without making network requests during scanning.

    Show sources
    Open in new tab