APT / THREAT GROUP
GlassWorm
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to Koi Security, this malware harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It uses stolen credentials to compromise additional packages and extensions, spreading the worm further. Furthermore, it deploys SOCKS proxy servers, turning developer machines into criminal infrastructure and installs hidden VNC servers for complete remote access.
Threat Analysis
GlassWorm is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning GlassWorm
CrowdStrike, Google Take Down Glassworm Botnet
Infosecurity Magazine· May 27, 2026
Glassworm botnet disrupted after resilient C2 infrastructure takedown
BleepingComputer· May 27, 2026
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
The Hacker News· May 27, 2026
GlassWorm Botnet Disrupted
SecurityWeek· May 27, 2026
Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet
CrowdStrike Blog· May 26, 2026
Dozens of Open VSX Extension Clones Linked to GlassWorm Malware
SecurityWeek· Apr 28, 2026
GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions
BleepingComputer· Apr 27, 2026
Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware
The Hacker News· Apr 27, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
js.glasswormGlassWorm
External Intelligence
Malpedia: js.glasswormResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.