GlassWorm macOS malware targets crypto wallets again

GlassWorm macOS malware is back, hiding inside VSCode and OpenVSX extensions that try to swap crypto wallet apps and steal keys. The short answer: remove the three flagged extensions, rotate GitHub and npm secrets, and hunt new AppleScript-based LaunchAgents before they drain wallets.

What’s new in the fourth GlassWorm wave

The latest GlassWorm macOS malware campaign shifts from Windows to macOS developers. Koi Security spotted three rogue OpenVSX extensions that drop an AES-256-CBC payload compiled in JavaScript, trigger after a 15-minute delay, and pivot into AppleScript-based persistence.

New targeting and tooling

macOS focus: AppleScript payloads and LaunchAgents replace PowerShell and Registry edits.
Crypto swap: The malware hunts Ledger Live and Trezor Suite to replace them with trojanized builds, though payloads are currently empty.
Keychain theft: Beyond browser extensions, it now reaches into macOS Keychain to extract secrets.
Same C2 spine: Solana-based command-and-control remains in use, preserving infrastructure overlap with earlier waves.

Rogue extension names

studio-velte-distributor.pro-svelte-extension
cudra-production.vsce-prettier-pro
Puccin-development.full-access-catppuccin-pro-extension

At least two extensions now show OpenVSX warnings for unverified publishers, yet download counters still show 33,000+ installs, likely manipulated to add false trust.

Timeline snapshot

October: GlassWorm debuts with invisible Unicode obfuscation.
Early November: Second wave hits OpenVSX with refreshed extensions.
Early December: Third wave lands on Microsoft’s marketplace with Rust binaries.
January: Fourth wave targets macOS with AppleScript loaders and hardware wallet swapping logic.

Why this GlassWorm wave matters for macOS teams

The GlassWorm macOS malware campaign weaponizes developer trust. Extension ecosystems are a soft path into source code, cloud keys, and crypto assets.

Operational risks

Source code exposure: Stolen GitHub and npm credentials enable supply-chain backdoors.
Wallet loss: Browser wallet extensions and hardware wallet apps face replacement attempts, putting seed phrases and keys at risk.
Persistence and stealth: LaunchAgents plus delayed execution complicate sandboxing and EDR triage.
Cross-environment drift: Solana-based C2 and proxy use can pivot into cloud workloads if tokens are reused.

We saw similar trust attacks in the earlier GlassWorm extension wave and the Shai-Hulud npm attack on Trust Wallet. Each incident shows that marketplace curation is not a control boundary.

For teams that keep macOS as the primary dev platform, the new hardware wallet replacement logic adds a direct path to financial loss. Even if the trojanized wallets are unfinished, the capability signals intent.

How the GlassWorm macOS malware runs

Infection chain

Developers install one of the three malicious OpenVSX extensions. After a 15-minute sleep, compiled JavaScript decrypts an AES-256-CBC payload and executes AppleScript.

The script:

Creates LaunchAgents for persistence.
Harvests browser data, 50+ crypto extensions, and macOS Keychain entries.
Checks for Ledger Live and Trezor Suite, then tries to replace them with attacker-provided apps.
Builds a SOCKS proxy and remote access channel over the Solana-backed C2 mesh.

Data theft and replacement

GlassWorm targets GitHub and npm tokens to hijack repos and publish poisoned packages. It scrapes wallet secrets and session data, then exfiltrates them through the Solana-based pipeline.

The hardware wallet swapper currently returns empty files, but the code path is present. Once payloads appear, app replacement could bypass user caution because the installer masquerades as a routine update.

Detection cues

OpenVSX installs of the three package names on macOS endpoints.
New LaunchAgents pointing to AppleScript or suspicious JavaScript in user space.
Outbound Solana RPC calls from developer workstations.
Unexpected changes to Ledger Live or Trezor application bundles.

Immediate response steps

Remove the three extensions and reinstall VSCode-based editors.
Rotate GitHub and npm credentials; revoke tokens; enforce MFA and device trust.
Reinstall Ledger Live or Trezor Suite from vendor sites; verify checksums.
Scan for LaunchAgents; quarantine any that point to non-standard scripts.
Block known C2 domains and monitor for Solana RPC traffic until hosts are reimaged.

Context, scale, and defensive priorities

The GlassWorm macOS malware surge is the fourth iteration since October. Earlier waves relied on invisible Unicode and Rust binaries; this one leans on AppleScript and LaunchAgents to stay native to macOS.

Koi Security reports more than 33,000 installs across the three extensions, though counts are likely padded. Two packages now carry OpenVSX warnings, but users who sideloaded them before removal remain exposed.

Defensive priorities

Extension hygiene: Lock VSCode and OpenVSX to approved publishers; mirror extensions internally.
Secret sprawl: Store GitHub and npm tokens in managed vaults; use short-lived tokens.
macOS hardening: Restrict LaunchAgents creation; require admin approval for new plist files.
Egress controls: Alert on Solana RPC endpoints and unusual SOCKS proxy traffic.
Wallet integrity: Validate checksums for Ledger and Trezor apps; block unsigned updates.

Marketplace malware remains a recurring theme. After the December GlassWorm extension spike and other supply-chain hits, zero-trust sourcing for plugins is becoming baseline.

Teams should also rehearse what happens if a code-signing key leaks. That preparation reduces blast radius if GlassWorm pivots from crypto theft to shipping backdoored packages through compromised developer accounts.

Sources and references

GlassWorm’s pivot to AppleScript and hardware wallet swapping shows the group is iterating quickly. Expect another extension wave unless marketplaces tighten publisher verification and defenders clamp down on token sprawl.