top of page
perceptive_background_267k.jpg

New GlassWorm malware wave targets Macs with trojanized crypto wallets

Published:

1 januari 2026 om 15:18:23

Alert date:

1 januari 2026 om 20:02:29

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

A fourth wave of the GlassWorm campaign is actively targeting macOS developers through malicious VSCode/OpenVSX extensions. The campaign delivers trojanized versions of cryptocurrency wallet applications to compromise Mac systems. This represents an ongoing and evolving threat specifically targeting the developer community with supply chain attacks through compromised development tools and cryptocurrency-related software.

Technical details

Fourth wave of GlassWorm campaign targeting macOS developers with malicious VSCode/OpenVSX extensions. Uses AES-256-CBC encrypted payload embedded in compiled JavaScript. Executes after 15-minute delay to evade sandbox analysis. Uses AppleScript instead of PowerShell and LaunchAgents for persistence. Maintains Solana blockchain-based C2 mechanism. Targets over 50 browser crypto extensions, developer credentials, browser data, and Keychain passwords. Attempts to replace hardware cryptocurrency wallet apps (Ledger Live, Trezor Suite) with trojanized versions.

Mitigation steps:

Remove the three malicious extensions immediately if installed
Reset GitHub account passwords
Revoke NPM tokens
Check system for signs of infection
Consider reinstalling the system if infected
Verify publisher verification status before installing VSCode extensions

Affected products:

macOS
Visual Studio Code
OpenVSX registry
Microsoft Visual Studio Marketplace
GitHub accounts
NPM accounts
Cryptocurrency wallet extensions
Ledger Live
Trezor Suite
macOS Keychain

Related links:

https://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries/
https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-on-openvsx-with-3-new-vscode-extensions/
https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/
https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks

Related CVE's:

Related threat actors:

IOC's:

studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro, Puccin-development.full-access-catppuccin-pro-extension, AES-256-CBC encrypted payload in compiled JavaScript, 15-minute execution delay, AppleScript usage for macOS targeting, LaunchAgents persistence mechanism, Solana blockchain-based C2 communication

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page