HOMETHREATSGlassWorm
APT / THREAT GROUP

GlassWorm

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Koi Security, this malware harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It uses stolen credentials to compromise additional packages and extensions, spreading the worm further. Furthermore, it deploys SOCKS proxy servers, turning developer machines into criminal infrastructure and installs hidden VNC servers for complete remote access.

Threat Analysis

GlassWorm is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning GlassWorm

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

js.glasswormGlassWorm

External Intelligence

Malpedia: js.glassworm

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
GlassWorm — APT / Threat Group | Threat Intelligence | CTIWATCH.COM