GlassWorm attack installs fake browser extension for surveillance

March 27, 2026, 12:11 a.m.

Description

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

External References

https://otx.alienvault.com/pulse/69c59ad1d050c7b6a823051e
https://securityboulevard.com/2026/03/glassworm-attack-installs-fake-browser-extension-for-surveillance/
Tags
infostealer
cryptocurrency
developers
remote access trojan
supply chain attack
blockchain
browser extension
2026-03-26
glassworm

Date

  • Created: March 26, 2026, 8:45 p.m.
  • Published: March 26, 2026, 8:45 p.m.
  • Modified: March 27, 2026, 12:11 a.m.

Indicators

  • 45.150.34.158
Download all indicators here!

Attack Patterns

  • GlassWorm
  • GlassWorm