Ethical Hacking News
A new wave of GlassWorm malware has hit Macs, targeting developers with malicious extensions that steal credentials and crypto wallet data. With its expanded capabilities and continued ability to evade detection, this threat requires immediate attention from developers and cybersecurity experts alike.
The "GlassWorm" malware targets macOS systems with malicious VSCode/OpenVSX extensions. The malware steals credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data. The GlassWorm malware has expanded its capabilities to include stealing Keychain passwords and replacing hardware wallets with trojanized versions. Researchers estimate over 33,000 installs of the malicious extensions, but figures are often manipulated by threat actors. Developers are recommended to remove the extensions immediately, reset their account passwords, and check for signs of infection.
The cybersecurity landscape continues to evolve, and one of the most significant threats facing developers today is the "GlassWorm" malware wave. This latest campaign specifically targets macOS systems with malicious VSCode/OpenVSX extensions that deliver trojanized crypto wallet applications.
The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using "invisible" Unicode characters. These extensions were designed to add features and productivity enhancements to the development tools, language support, or themes of Visual Studio Code. However, upon installation, they revealed their true intentions - to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions.
Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode. The malicious logic executes after a 15-minute delay, likely in an attempt to evade analysis in sandboxed environments. Instead of PowerShell, it now uses AppleScript, and instead of Registry modification, it uses LaunchAgents for persistence.
The malware's capabilities have expanded significantly since its initial appearance. It now attempts to steal Keychain passwords, and features a new capability where it checks for hardware cryptocurrency wallet apps like Ledger Live and Trezor Suite on the host, and replaces them with trojanized versions. However, this mechanism is currently failing because the trojanized wallets are returning empty files.
Researchers at Koi Security note that this mechanism is built and ready - it's just waiting for payloads to be uploaded. All other malicious functionality (credential theft, keychain access, data exfiltration, persistence) remains fully operational. The attackers have managed to evade detection, as the download counters show over 33,000 installs, but these figures are frequently manipulated by threat actors.
Developers who have installed any of the three extensions are recommended to remove them immediately, reset their GitHub account passwords, revoke their NPM tokens, check their system for signs of infection, or reinstall it. This is a stark reminder that even seemingly harmless software can turn malicious at any moment.
The return of GlassWorm on OpenVSX with three new VSCode extensions marks a significant escalation in the threat landscape. The developers who create and distribute these extensions must be aware of the risks associated with them and take steps to protect themselves and their users.
The rise of the "GlassWorm" malware wave serves as a cautionary tale for all developers working on macOS systems, highlighting the importance of staying vigilant and up-to-date with the latest security patches and best practices.
Related Information:
https://www.ethicalhackingnews.com/articles/New-GlassWorm-Malware-Wave-A-Threat-to-Mac-Developers-ehn.shtml
Published: Thu Jan 1 13:34:46 2026 by llama3.2 3B Q4_K_M
