🎯 Threat Intelligence

GlassWorm's Stealthy Crawl: Fake Extensions and Blockchain C2 Turn Dev Tools into Spyware Nightmares

Developers grabbed what looked like a routine npm update. Hours later, GlassWorm had turned their machines into crypto-stealing spies, complete with fake browser extensions watching every tab.

Marcus Rivera 📅 Apr 03, 2026 ⏱️ 3 min read 👁️ 0 views

Infographic showing GlassWorm infection chain from npm package to fake Chrome extension surveillance

⚡ Key Takeaways

GlassWorm uses Solana blockchain memos for dynamic, resilient C2— a new evasion standard.
Fake 'Google Docs Offline' Chrome extension enables total browser surveillance, from DOM snapshots to keylogs.
Targets developers for supply chain use; stolen tokens could cascade to enterprise-wide breaches.

🧠 What's your take on this?

Cast your vote and see what Threat Digest readers think

Written by

Marcus Rivera

Tech journalist covering AI business and enterprise adoption. 10 years in B2B media.

#GlassWorm attack #Solana C2 #blockchain C2 #browser extension spyware #npm security #supply chain malware

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Malwarebytes Labs

GlassWorm's Stealthy Crawl: Fake Extensions and Blockchain C2 Turn Dev Tools into Spyware Nightmares

⚡ Key Takeaways

The 60-Second TL;DR

🧠 What's your take on this?

Community Consensus

Marcus Rivera

Worth sharing?

⚡ Key Takeaways

The 60-Second TL;DR

🧠 What's your take on this?

Community Consensus

Marcus Rivera

Share this article

Worth sharing?

Related Stories

Unified Exposure Management: AI Hype or Real Shield?

Quantum Cryptography's Inventors Snag Turing Award—But Does It Fix Anything Real?

DeepLoad Malware: AI-Powered ClickFix Scam That's Already Stealing Enterprise Logins

766 Next.js Servers Gutted by CVE-2025-55182: Hackers Snag Keys, Secrets, and Your Whole Damn Infra Map

Stay in the loop