New GlassWorm Malware Wave Targets macOS Developers Through Trojanised Crypto Wallets and VS Code Extensions

By Ash K
New GlassWorm Malware Wave Targets macOS Developers Through Trojanised Crypto Wallets and VS Code Extensions

A renewed wave of the GlassWorm malware campaign is actively targeting macOS users, with a strong focus on software developers and cryptocurrency holders. The latest iteration leverages trojanised cryptocurrency wallets and malicious Visual Studio Code extensions to steal credentials, keychain secrets, and cryptocurrency assets, reflecting a clear evolution toward higher value targets.

Security researchers report that GlassWorm has re-emerged with improved stealth, stronger encryption, and expanded post-compromise capabilities, despite previous takedown efforts and increased platform defenses.

Overview of the GlassWorm campaign

The current GlassWorm wave is distributed through malicious extensions published on developer ecosystems such as OpenVSX and the Microsoft Visual Studio Marketplace. These extensions impersonate legitimate developer tools, allowing attackers to exploit the inherent trust developers place in popular extension repositories.

Once installed, the extension operates as an initial access vector, executing additional malicious logic outside the extension sandbox.

GlassWorm macOS infection chain diagram

Target profile and infection scope

The campaign primarily targets macOS developers working on blockchain, Web3, and cryptocurrency-related projects. These users often possess high value credentials such as API keys, cloud access tokens, and private wallet keys.

Rather than mass infection, GlassWorm focuses on a smaller number of high value victims, maximising financial return while reducing detection noise.

Trojanised cryptocurrency wallets

A notable evolution in this wave is the delivery of trojanised cryptocurrency wallets either directly or as secondary payloads triggered by malicious extensions. These fake wallets closely replicate legitimate applications while embedding hidden components that intercept wallet credentials and transaction activity.

The malware specifically targets both software wallets and connected hardware wallets, increasing the likelihood of direct cryptocurrency theft.

Malicious VS Code extension behaviour

The malicious extensions contain embedded JavaScript logic that executes post-installation, enabling payload download, environment profiling, and persistence setup. The code is often obfuscated and blends with legitimate extension functionality to evade casual inspection.

Malicious JavaScript inside trojanized VS Code extension

Credential and keychain data theft

GlassWorm harvests credentials stored within the macOS Keychain, including browser passwords, developer platform tokens, cloud service credentials, and cryptographic material associated with wallet applications.

By extracting keychain entries, attackers gain access to source repositories, CI/CD systems, cloud infrastructure, and financial accounts.

Encryption and command-and-control

The latest samples use AES-256-CBC encryption to protect exfiltrated data in transit. Each victim session uses dynamically generated keys, significantly complicating network inspection and static signature detection.

Encrypted command-and-control traffic further obscures attacker activity, allowing prolonged access before discovery.

Persistence on macOS systems

GlassWorm establishes persistence using LaunchAgents that trigger execution at user login. AppleScript-based execution chains are used to reinstall components if removed, increasing resilience against partial cleanup attempts.

This persistence model allows the malware to survive reboots and maintain long-term access without elevated privileges.

Post-compromise capabilities

Beyond credential theft, the malware includes advanced capabilities such as SOCKS proxy traffic routing and VNC-based remote desktop access. This enables attackers to interact directly with compromised systems or repurpose them as relay infrastructure.

Such capabilities suggest potential secondary monetisation through access resale or follow-on attacks.

Why developers are prime targets

Developers frequently install third-party tools, extensions, and beta software, creating an expanded attack surface. Many also hold privileged access to production systems and digital assets, making them attractive targets for financially motivated actors.

The GlassWorm campaign exploits this reality by embedding itself into trusted development workflows.

Detection and response challenges

GlassWorm blends into normal developer activity, uses encrypted communications, and relies on native macOS persistence mechanisms. Traditional antivirus solutions may not immediately flag such activity, particularly when payloads are fetched dynamically.

Behaviour-based monitoring and extension auditing are critical for identifying compromise.

Recommended mitigation actions

macOS users should review all installed VS Code extensions and remove any that are unnecessary or unfamiliar. Compromised systems should undergo full credential rotation, including developer platform tokens, cloud credentials, and cryptocurrency wallets.

Hardware wallets should be reinitialised if exposure is suspected, and persistence artefacts such as LaunchAgents should be audited.

Conclusion

The latest GlassWorm malware wave demonstrates a mature, financially motivated threat targeting macOS developers through trusted software ecosystems. By combining trojanised wallets, malicious extensions, strong encryption, and persistent access, the attackers have built a stealthy and highly effective operation.

The campaign reinforces a critical lesson for developer security: trusted tools can become attack vectors, and continuous scrutiny of development environments is now essential.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.