Researchers have uncovered a new evolution of the GlassWorm campaign that uses rogue packages and compromised maintainer accounts to deliver a multi-stage framework for data theft and remote access. The chain includes a .NET hardware-wallet phishing binary, a WebSocket JavaScript RAT that force-installs a malicious βGoogle Docs Offlineβ Chrome extension, and dead-drop C2 resolvers on the Solana blockchain. #GlassWorm #GoogleDocsOffline
Keypoints
- GlassWorm spreads through malicious packages on npm, PyPI, GitHub, and Open VSX and by pushing poisoned updates from compromised maintainer accounts.
- The stage-two framework harvests credentials, crypto wallets, system profiles, compresses data into ZIPs, and exfiltrates them to an external server.
- A .NET component detects Ledger and Trezor USB connections and displays persistent phishing windows to capture 24-word recovery phrases.
- The JavaScript RAT retrieves C2 via DHT or Solana-based dead drops and supports HVNC, SOCKS/WebRTC proxying, browser data theft, and remote JS execution.
- The campaign force-installs a malicious Google Docs Offline Chrome extension to steal cookies, DOM data, keystrokes, screenshots, history, and perform targeted session surveillance.
Read More: https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html