What is the GlassWorm attack?

GlassWorm spreads via malicious npm/PyPI packages and VS Code extensions, stealing creds and installing RATs with fake Chrome extensions for surveillance.

How do you detect GlassWorm malware?

Check for IOCs like IPs (45.32.150.251), tasks ('UpdateApp'), registry (UpdateApp/UpdateLedger), and 'Google Docs Offline' extension.

Can GlassWorm lead to bigger supply chain attacks?

Yes—stolen dev creds enable repo compromises, tainting packages for thousands of users downstream.

🎯 Threat Intelligence

GlassWorm's Stealthy Crawl: Fake Extensions and Blockchain C2 Turn Dev Tools into Spyware Nightmares

Developers grabbed what looked like a routine npm update. Hours later, GlassWorm had turned their machines into crypto-stealing spies, complete with fake browser extensions watching every tab.

Threat Digest Apr 03, 2026 3 min read

Infographic showing GlassWorm infection chain from npm package to fake Chrome extension surveillance

⚡ Key Takeaways

GlassWorm uses Solana blockchain memos for dynamic, resilient C2— a new evasion standard. 𝕏
Fake 'Google Docs Offline' Chrome extension enables total browser surveillance, from DOM snapshots to keylogs. 𝕏
Targets developers for supply chain use; stolen tokens could cascade to enterprise-wide breaches. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#GlassWorm attack #Solana C2 #blockchain C2 #browser extension spyware #npm security #supply chain malware

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Malwarebytes Labs

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Inside the Axios Hijack: How DPRK RATs Slipped into Dev Workflows Worldwide

Coca-Cola and Ferrari Job Offers Hijacking Your Google Accounts in Real Time

Venom PhaaS Powers Ruthless Credential Grabs from C-Suite Targets

53% of Firms Run Critically Outdated Mobile OS—Attack Surface Explodes

Stay in the loop