Supply Chain Malware “GlassWorm” Deploys Fake Browser Extension for Credential Harvesting
What Happened – GlassWorm infiltrates developer toolchains (npm, PyPI, VS Code extensions) via compromised packages. Once installed, it runs a multi‑stage payload that steals tokens, cloud credentials, and wallet seeds, then installs a remote‑access Trojan and a fake Chrome extension that silently monitors browser activity.
Why It Matters for TPRM –
- Compromised developer dependencies can give attackers footholds inside your production pipelines.
- Stolen credentials enable downstream supply‑chain attacks against your vendors and customers.
- Persistent RATs and covert browser extensions broaden the attack surface beyond the initial developer host.
Who Is Affected – Technology & SaaS firms, cloud service providers, fintech platforms, and any organization that relies on third‑party code libraries or IDE extensions.
Recommended Actions – Conduct an inventory of all third‑party packages and VS Code extensions; enforce signed package verification; rotate any exposed tokens/keys; implement runtime monitoring for unauthorized scripts; review supply‑chain security controls with your vendors.
Technical Notes – Attack vector: compromised third‑party packages (npm, PyPI, VS Code Marketplace). The malware uses pre‑install scripts, Unicode loaders, and a Solana blockchain memo to fetch secondary payloads. It exfiltrates browser extension data, wallet seeds, git credentials, and cloud provider tokens, then establishes persistence via scheduled tasks and Run registry keys. Source: Malwarebytes Labs