In the shadowy world of supply chain attacks, a new menace called GlassWorm is slithering into developer tools, poised to steal credentials, deploy remote access trojans (RATs), and even hijack browsers.
Starting with coders on platforms like npm, GitHub, and PyPI, this malware doesn’t stop there; it grabs access tokens, git creds, and cloud keys to fuel broader attacks on companies and everyday users. Imagine downloading what seems like a routine VS Code extension, only to unleash a silent thief that fingerprints your machine and phones home via blockchain.
GlassWorm spreads via compromised developer channels. Attackers hijack popular npm or PyPI packages or upload fresh malicious ones, tricking devs into installing tainted updates. A seemingly legit maintainer account turns rogue, and boom: your system is in play.
Once installed, a preinstall script or hidden Unicode loader kicks off. It scans for a Russian locale (execution halts if found, hinting at targeted ops) and idles for hours. Then it queries the Solana blockchain’s memo field in a transaction for stage-two instructions, smartly dodging takedowns of hardcoded links.
Stage two unleashes an infostealer feasting on browser extensions, crypto wallets like Ledger/Trezor, .txt files with seeds, npm tokens, VS Code secrets, and cloud creds. Data zips out via POST to attacker servers, arming hackers for phishing or lateral moves.
Enter stage three: two payloads drop a phishing binary for plugged-in hardware wallets and a Node.js RAT packed with credential stealers and a Chrome extension installer. Persistence locks in via scheduled tasks and registry keys, ensuring it reboots.
The RAT evades detection by using a distributed hash table (DHT) to look up its C2 public key. Fallback? Solana blockchain again for fresh IPs.
The RAT force-installs a fake “Google Docs Offline” Chrome extension (v1.95.1; dirs: jucku on Windows, myextension on macOS). This beast snags cookies, localStorage, full DOM trees, bookmarks, screenshots, keystrokes, clipboard, history (up to 5,000 entries), and extension lists, pure session surveillance.
Victims might spot odd outbound connections, startup entries, or the rogue extension if vigilant. Otherwise, it’s ghost mode.
Primarily targeting crypto-holding developers, GlassWorm’s loot enables devastating supply-chain cascades, compromising repos and end users alike.
Stay safe with these:
- Pin known-good package versions; scrutinize maintainer changes or minor-release overhauls.
- Audit extensions nuke unknowns, especially “Google Docs Offline” dupes.
- Inspect scheduled tasks (e.g., “UpdateApp” running AghzgY.ps1) and registry (HKCU…\Run\UpdateApp/UpdateLedger).
- Deploy real-time anti-malware to block IOCs like IPs: 45.32.150[.]251, 217.69.3[.]152, 217.69.0[.]159, 45.150.34[.]158.
GlassWorm underscores the fragility of dev ecosystems.
Site: cybersecuritypath.com
About the Author
