Key Findings

• GlassWorm campaign evolved to deliver multi-stage malware framework with data theft and remote access capabilities

• Operators use Solana blockchain transactions as dead drop resolvers to hide command-and-control infrastructure

• Malware includes hardware wallet phishing targeting Ledger and Trezor devices with fake recovery phrase prompts

• Chrome extension masquerading as "Google Docs Offline" steals browser data, cookies, and monitors cryptocurrency exchange sessions

• Campaign expanded into Model Context Protocol ecosystem, marking first confirmed MCP-based attack

• Initial access gained through compromised developer accounts and rogue packages on npm, PyPI, GitHub, and Open VSX

Background

GlassWorm represents a persistent supply chain attack campaign targeting developers across multiple package ecosystems. The group has built a reputation for sophisticated initial access techniques, compromising legitimate developer accounts to push poisoned updates and publishing malicious packages under names similar to legitimate projects. Their willingness to adapt and move into emerging ecosystems demonstrates an organized operation with solid technical capabilities and market awareness.

Multi-Stage Attack Framework

The attack unfolds across several stages. Once initial infection occurs, the malware deploys a data-theft framework capable of credential harvesting, cryptocurrency wallet exfiltration, and system profiling. Collected information is compressed into ZIP archives and exfiltrated to external servers. The operators are deliberate enough to avoid targeting systems with Russian locale settings, suggesting operational boundaries or specific geographic focus.

Blockchain-Based Command Infrastructure

Rather than traditional domain-based C2 communication, GlassWorm operators hide their infrastructure within Solana blockchain transactions. The malware queries Solana memos to retrieve C2 server addresses like 45.32.150[.]251. This approach provides resilience against traditional network-based takedowns since the infrastructure is distributed across the blockchain. Secondary fallback mechanisms use Google Calendar public event URLs as dead drop resolvers, offering redundancy if the primary Solana-based method fails.

Hardware Wallet Phishing Operations

The campaign includes a sophisticated .NET component designed specifically to target cryptocurrency users. When it detects a Ledger or Trezor hardware wallet connection via Windows Management Instrumentation, it displays convincing fake interface windows. The Ledger phishing window mimics a configuration error, while the Trezor variant shows a "firmware validation failed" message. Both present 24-word recovery phrase input fields matching legitimate wallet interfaces. The malware terminates any real wallet management processes and persists the phishing window until dismissed, maximizing chances of capturing the recovery seed phrase.

Browser Data Stealing and Remote Access

A JavaScript-based RAT component focuses on web browser exploitation across multiple platforms. The malware force-installs a Chrome extension called "Google Docs Offline" designed to appear legitimate. This extension harvests cookies, localStorage data, DOM trees, bookmarks, screenshots, keystrokes, and clipboard content. It monitors cryptocurrency exchange sites like Bybit for authentication cookies and can redirect users to attacker-controlled URLs. The RAT maintains multiple communication methods including DHT lookups, Solana dead drops, and traditional HVNC remote desktop access, giving operators flexible command execution capabilities.

Evolution Into AI Development Ecosystems

Recent activity shows GlassWorm pivoting toward Model Context Protocol servers, with operators publishing fake "WaterCrawl MCP" packages on npm. This represents the campaign's first confirmed move into AI-assisted development tools. The expansion makes operational sense given the high trust placed in MCP servers by design and the rapid adoption of AI tools among developers, creating both larger attack surface and less security-conscious user base.

Recommendations

Developers should carefully verify publisher names and package histories before installation. Open VSX extensions, npm packages, and MCP servers warrant particular scrutiny. Organizations should monitor for suspicious package updates from established projects and implement stricter controls over account access for maintainers with popular packages.

Sources

• https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html

• https://x.com/shah_sheikh/status/2036816110255796565

• https://x.com/TheCyberSecHub/status/2036816523298533471

• https://www.socdefenders.ai/item/c2aa5cb0-15bb-410a-bffb-16f4c3d9deea

• https://www.cypro.se/2026/03/25/glassworm-malware-uses-solana-dead-drops-to-deliver-rat-and-steal-browser-crypto-data/