BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

GlassWorm Attack Steals Data Via Fake Chrome Extension

GlassWorm evolves into a multi-stage malware using Solana blockchain and AI tool impersonations.

  • GlassWorm attackers now use a multi-stage framework that steals data and delivers a remote access trojan via a malicious Chrome extension.
  • The malware employs the Solana blockchain to hide its command server and specifically targets cryptocurrency hardware wallets with phishing windows.
  • A new Python tool called glassworm-hunter has been released to help developers scan their systems for these payloads.
  • The campaign has evolved to impersonate trusted npm packages, including an AI development tool called the WaterCrawl MCP server.

Cybersecurity researchers revealed on March 25, 2026, that the persistent GlassWorm campaign has evolved into a sophisticated multi-stage attack framework. This new evolution, as detailed by Aikido security researcher Ilyas Makari, delivers a powerful information-stealing Google Chrome extension and a remote access trojan (RAT). The initial infection spreads through poisoned packages on trusted platforms like npm, PyPI, and GitHub.

- Advertisement -

The attack chain cleverly avoids systems with Russian locales and uses Solana blockchain transactions as a dead drop resolver to find its command server. Consequently, it downloads operating system-specific payloads designed for comprehensive data theft. This stage-two framework harvests credentials, exfiltrates cryptocurrency wallets, and profiles the victim’s system before sending the data to an external server.

Once data is transmitted, the malware fetches additional components including a .NET binary that performs hardware wallet phishing. This binary uses Windows Management Instrumentation to detect when a Ledger or Trezor wallet is connected and displays a fake error window to steal the 24-word recovery phrase. The malware persistently reopens the phishing window if closed and kills legitimate Ledger Live processes on the host machine.

Meanwhile, a separate JavaScript RAT component uses a Distributed Hash Table (DHT) and the Solana blockchain to establish communication. This RAT can run commands to deploy a hidden remote desktop, operate a SOCKS proxy, and execute arbitrary code. It also force-installs a malicious Chrome extension masquerading as “Google Docs Offline,” which steals cookies, keystrokes, screenshots, and even monitors specific sites like Bybit.

Researchers noted this campaign represents GlassWorm‘s first confirmed move into the AI-assisted development ecosystem by publishing a malicious npm package impersonating the WaterCrawl MCP server. In response, Polish cybersecurity company AFINE has published an open-source Python tool to help developers scan for these stealthy payloads locally.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Bitcoin Has Further to Fall for Cycle Bottom Signal

One of Bitcoin's "cleanest cycle clocks" suggests that new macro lows are needed this...

Oil Plunges 20% as US-Iran Peace Deal Hangs in Balance

Brent and crude oil prices have fallen nearly 20% in a month after a...

Semiconductors Beat Big Tech, Crypto by 102% in H1

Semiconductor stocks surged 102% in H1 2026, crushing the Magnificent Seven and Bitcoin ...

Crypto Options Skew Hits Record High as Institutional Bid Vanishes

CME futures open interest has dropped to a 32-month low, signaling the institutional bid...

SpaceX Joins Nasdaq-100, Triggering ETF Demand

SpaceX joins the Nasdaq-100 on Tuesday, but its index weight is limited to roughly...

Must Read

9 DePIN Programs For Passive Income

Here’s something most people don’t realize: your smartphone and PC can generate passive income with almost no effort.I’m not talking about clicking ads for...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading