GlassWorm is a multi-stage malware campaign targeting developers via malicious packages on npm, PyPI, GitHub, and OpenVSX. Stage 1 uses either a Unicode-based or obfuscated preinstall loader that retrieves its C2 address from a Solana blockchain memo, enabling resilient, uncensorable command infrastructure. Stage 2 performs broad credential theft including crypto wallets, npm tokens, git credentials, VS Code secrets, and cloud provider keys (AWS, GCP, Azure, etc.). Stage 3 deploys a persistent WebSocket-based RAT with DHT-based C2 discovery, HVNC for hidden remote desktop access, a SOCKS proxy module, and a force-installed Chrome extension masquerading as Google Docs Offline. The extension logs keystrokes, dumps cookies and localStorage, captures screenshots, exfiltrates browser history, and monitors specific sites like Bybit for session tokens. A separate phishing binary targets Ledger and Trezor hardware wallet users by intercepting USB connections and presenting fake recovery phrase input forms. Full indicators of compromise including IPs, file hashes, registry keys, and Solana wallet addresses are provided.
Table of contents
Two Loader FlavorsSort: