One-sentence headline summary

Cybersecurity researchers have identified an evolving GlassWorm campaign that uses malicious software packages and fake browser extensions to steal sensitive data and compromise cryptocurrency hardware wallets.

Key points

• The GlassWorm campaign distributes malware through rogue packages on npm, PyPI, GitHub, and the Open VSX marketplace.
• Attackers use Solana blockchain transactions and Google Calendar events as "dead drop" resolvers to hide command-and-control server communications.
• A multi-stage framework deploys a malicious Google Chrome extension that masquerades as "Google Docs Offline" to harvest browser data and session cookies.
• The malware targets Ledger and Trezor hardware wallets by displaying fake phishing windows to capture 24-word recovery phrases.
• The campaign has expanded to include malicious Model Context Protocol (MCP) servers, specifically targeting AI-assisted development tools.
• Security firm AFINE released an open-source tool, "glassworm-hunter," to help developers scan local systems for associated malicious payloads.

This campaign highlights a growing trend of attackers exploiting the trust inherent in developer ecosystems and AI-integrated tools to gain deep system access. The sophisticated use of blockchain and cloud services for command-and-control makes these threats particularly difficult to detect and mitigate.