GlassWorm Malware Pivots to macOS, Targets Crypto Wallets

GlassWorm has completed its platform pivot. The self-propagating malware that first appeared in VS Code extensions on the Open VSX marketplace now targets macOS systems exclusively, replacing hardware cryptocurrency wallet applications with trojanized versions designed to steal funds.

Researchers at Koi Security discovered the campaign after tracking GlassWorm through four distinct waves over the past two and a half months. Each iteration brought new capabilities—the initial Windows-focused wave targeted a broader range of developer credentials. This latest wave—focused entirely on Apple devices—represents a strategic shift toward developers working in cryptocurrency, Web3, and startup environments where Macs dominate.

How the Attack Works

GlassWorm spreads through malicious VS Code extensions published to Open VSX, an open-source extension marketplace serving millions of developers. The malware uses invisible Unicode characters to hide its payload from code review, making detection difficult even for security-conscious developers who inspect extensions before installation.

Once installed, the malware checks for hardware cryptocurrency wallet applications on the host system—specifically Ledger Live and Trezor Suite. When found, it replaces them with trojanized versions that intercept transactions. The payload also targets more than 50 browser-based crypto wallet extensions.

The macOS version demonstrates platform-specific sophistication:

1. AppleScript for execution instead of PowerShell
2. LaunchAgents for persistence instead of Windows Registry keys
3. Direct theft of Keychain database containing stored passwords
4. 15-minute activation delay to evade sandbox analysis

Beyond crypto targeting, GlassWorm steals GitHub tokens, NPM credentials, SSH keys, VPN configurations, and browser data. For developers, a single infected extension can compromise their entire professional identity.

Blockchain-Based Command and Control

GlassWorm's infrastructure can't be taken down through traditional means. The malware uses the Solana blockchain for command and control, with instructions embedded in blockchain transactions that defenders cannot block without blocking the entire blockchain.

This design makes the campaign remarkably resilient. Even if security researchers identify C2 endpoints, they can't request takedowns from hosting providers because there are no traditional servers to take down.

Attribution and Victims

Koi Security gained access to the attackers' server and extracted a partial victim list. Targets include developers and organizations across the US, Europe, Asia, and Latin America, plus at least one government entity in the Middle East.

Keylogger data recovered from the server shows a Russian-speaking threat actor using RedExt C&C infrastructure, multiple cryptocurrency exchanges, and various messaging platforms.

As of December 29, the C2 endpoints for trojanized wallet applications were returning empty files. The malware includes file size validation that prevents installation of files smaller than 1000 bytes—suggesting operators are still preparing the macOS wallet trojans or transitioning infrastructure.

Why This Matters

Supply chain attacks through development tools hit at a critical trust point. Developers install extensions to improve productivity, often granting them broad system access. When those extensions turn malicious, they inherit the developer's permissions and network position.

The shift to macOS reflects attacker awareness of their target demographic. Cryptocurrency developers, Web3 engineers, and startup founders overwhelmingly use Apple hardware. By tailoring GlassWorm for macOS, the operators aligned their malware with their intended victims.

For organizations with developer workforces, this campaign reinforces the need for extension allowlisting and endpoint detection on macOS systems—platforms that historically received less security attention than Windows.

Recommended Mitigations

1. Audit installed VS Code extensions against a known-good allowlist
2. Verify hardware wallet applications haven't been modified by checking file hashes against vendor-published values
3. Monitor for LaunchAgent persistence in ~/Library/LaunchAgents
4. Review Keychain access requests from unfamiliar applications
5. Consider extension sandboxing through separate development environments

The Open VSX marketplace has removed identified malicious extensions, but GlassWorm's worm-like propagation means new variants may already be spreading. Developers should treat extension installation with the same caution they'd apply to running untrusted code—because that's exactly what it is.